Colorado voting system partial passwords posted online by mistake

Partial passwords to some parts of the state's voting systems that were accidentally posted online pose no threat to the November 5 general election, the Colorado Department of State said on Tuesday.

The department said a spreadsheet located on its website "improperly" included a hidden tab including partial passwords to certain components of Colorado voting systems.

"This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted," it said.

The department said it took immediate action and informed the Cybersecurity and Infrastructure Security Agency (CISA).

A CISA spokesperson said the agency is aware of the incident and is in communication with the Colorado Secretary of State’s Office.

"We understand the incident only impacts voting systems in Colorado and defer to the Secretary of State's office for mitigation specifics," the spokesperson said.

Hope Scheppelman, the vice chair of the state's Republican Party, said over 600 passwords for voting systems in 63 of Colorado's 64 counties were shared on the website. She said the passwords were not encrypted, and they had been posted since at least August.

Scheppelman released an affidavit of a person claiming to have accessed the passwords from August 8 to October 23. The name of the person was blocked out. Reuters was not able to independently verify it.

In its statement, the Colorado Department of State said the state's election process includes many layers of security.

"There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties," it said. "Passwords can only be used with physical in-person access to a voting system."

It added that there are strict chain of custody requirements that track when voting system components have been accessed and by whom.