Camilla Raffaelli, Daniela De Luca, Sakura Morales Furuta
Elena Alice Rossetti, Finley Thomas, Editor
October 30, 2024
Password Leak [1]
Current Situation:
On October 29, 2024, the Colorado Department of State (DoS) acknowledged a password leak on their website concerning “certain components of the Colorado voting systems.”[2] Numerous claims circulating on X are alleging this leaked content poses a threat to the integrity of the electoral process, “allowing broad access for knowledgeable users to fundamentally manipulate systems and data and to remove any trace of doing so.”[3] The Colorado DoS has reassured voters that leaked passwords can only be used through on-site access in a secure location, requiring ID access and knowledge of secondary passwords, safeguarded in a different location.[4] The Colorado DoS removed the file after the leak and notified the Cybersecurity and Infrastructure Agency (CISA), who are now closely monitoring the situation.[5]
Day/Time of event: October 29, 2024 / Morning local time
What is the current threat:
Considering the multi-layered security procedures in place, the password leak will unlikely pose a direct threat to the electoral integrity in Colorado. However, due to the widespread claims of potential integrity risk on social media platforms such as X, misinformation and disinformation will very likely spread around the topic, likely continuing past the election results. Malicious online actors will very likely claim that opposing forces within the elections will manipulate the election results in Colorado, likely casting doubt over the validity of said votes and undermining the local electoral process.
The potential threat includes adversaries or unauthorized individuals who could leverage this information of social engineering or reconnaissance to compromise election security. External threat actors, such as cyber attackers, could very likely attempt phishing against known officials to seek remaining access details. Emerging threats will likely involve the use of advanced cyber tactics, such as spear phishing or rogue wi-fi networks, to exploit the system vulnerabilities. Coordinated cyber campaigns will likely aim at undermining public trust in the electoral process and challenging the electoral dynamics.
Cybersecurity agencies such as CISA will very likely increase their monitoring efforts of potential external threats concerning password leaks. CISA will likely implement cybersecurity monitoring tools, such as Security Operations Centers (SOCs), to mitigate the risks of external threats. Cybersecurity responses will very likely include vulnerability assessments and threat-hunting to highlight potential further issues in password access by threat actors such as cyber attackers, almost certainly focusing efforts on electoral integrity vulnerabilities.
Who will it directly impact:
Colorado DoS
US political parties
Parties’ presidential candidates
US citizens and electorates
Colorado voters
US Election Assistance Commission (EAC)
State election offices nationwide
Election officials and clerks in Colorado and other US states
US Cybersecurity agencies like CISA
Recommendations
The Counterterrorism Group (CTG) recommends that cybersecurity teams, such as CISA, should implement stricter monitoring techniques to mitigate threats and adversaries seeking access to sensitive information and passwords.
The Colorado DoS should increase surveillance of secure physical entry points to respond promptly if additional activities arise.
Social media users on platforms such as X should approach information on this event critically, trusting official sources (such as the Colorado GOP or CISA) over non-official sources and social media accounts.
Social media users should refrain from spreading misinformation about the password leak, fact-checking claims encountered, and reporting disinformation endangering the integrity of the 2024 Presidential Elections.
The DoS should bolster public awareness campaigns to educate citizens on the risks of disinformation, misinformation, and malinformation related to elections, clarifying how these tactics can impact trust and electoral dynamics.
[1] Credentials breach, generated by a third party image database (created by AI)
[2] Statement from Colorado Department of State on Systems Passwords, Colorado Department of State, October 2024, https://www.sos.state.co.us/pubs/pressReleases
[3] @Behiztweets, X, October 30, 2024, https://x.com/BehizyTweets/status/185139
[4] Statement from Colorado Department of State on Systems Passwords, Colorado Department of State, October 2024, https://www.sos.state.co.us/pubs/pressReleases
[5] Ibid