Election system passwords mistakenly exposed on Colorado secretary of state’s website
(Colorado Newsline) Passwords to Colorado voting equipment were inadvertently exposed when they were posted as part of a spreadsheet on the Colorado secretary of state’s website.
The leak of the information “does not pose an immediate security threat to Colorado’s elections,” according to a press release from the office of Secretary of State Jena Griswold, a Democrat, who acknowledged the error Tuesday.
Her office described the compromised information as “partial passwords to certain components of Colorado voting systems.”
The leak was revealed in a mass email from the Colorado Republican Party, which said it learned of the leak after an unnamed person sent to the party an affidavit attesting to how the person discovered it. The person said in the affidavit they accessed three times starting in early August a spreadsheet posted on the secretary of state’s website that contains an inventory, which the secretary is required to maintain, of voting system components used throughout Colorado’s 64 counties.
The person said they were able to view passwords to many of the components by right-clicking the worksheet and selecting “unhide,” which provided access to other hidden worksheets. One of the hidden worksheets contained Basic Input Output System — or BIOS — passwords for more than 700 election system components in every Colorado county except Las Animas, the affidavit says. The errant document has since been pulled from the secretary of state’s website.
“We hear all the time in Colorado from Secretary Griswold and Governor (Jared) Polis that we represent the ‘Gold Standard’ for election integrity, a model for the nation,” Dave Williams, chair of the Colorado GOP, said in a statement. “One can only hope that by the Secretary of State posting our most sensitive passwords online to the world dispels that myth.”
The email from the party cautions that exposure of the passwords itself does not constitute a breach of election security, but “it does demonstrate a major lapse in basic systems security and password management.”
Every election equipment component has two passwords that are kept in separate places by different people, and they can be used only through in-person access, according to the secretary of state’s office. Just one of the two passwords to a given component were exposed in the leak, according to Griswold.
In an interview with 9News Tuesday, Griswold said the passwords were mistakenly posted for several months and were discovered by her office Thursday.
“This is not a security threat,” Griswold told anchor Kyle Clark. “There are two passwords to get into any voting component, along with physical access. We have layers of security, and out of just an abundance of caution, have staff in the field changing passwords, looking at access logs and looking at the entire situation and continuing our investigation.”
Her office disclosed the leak to, and is working with, the federal Cybersecurity and Infrastructure Security Agency as part of its response. She noted that not all of the exposed passwords were active.
Explaining how the passwords were inadvertently exposed, Griswold told 9News, “We, unfortunately, had a civil servant upload a spreadsheet with some passwords to voting equipment.”
In 2021, Mesa County election system BIOS passwords were leaked after then-County Clerk Tina Peters participated in a criminal breach of her own election system. Peters was sentenced earlier this month to almost nine years in prison on felony convictions related to her role in the breach.
Colorado Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Colorado Newsline maintains editorial independence. Contact Editor Quentin Young for questions: info@coloradonewsline.com. Follow Colorado Newsline on Facebook and X.