Colorado voting system passwords were visible online for months after they were posted by Colorado Secretary of State Jena Griswold’s office – and weren’t changed until the state’s Republican Party exposed the security breach on Tuesday.
The passwords, known as BIOS, are used to alter the state’s voting machine system settings.
“The Colorado Secretary of State’s Office inadvertently posted a spreadsheet to its website with a hidden tab that included voting system passwords,” Denver 9News Investigative Journalist Marshall Zelinger reported on Tuesday, noting that the tabs could be unhidden by anyone accessing the spreadsheet.
The security lapse was exposed Tuesday when the Colorado GOP reported that it had discovered and obtained corroboration that the passwords were visible online:
“According to an affidavit sent to the Republican Party of Colorado, Colorado Secretary of State, Jena Griswold, shared a file on her website that contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties.
“On Thursday, October 24, 2024, those BIOS passwords were discretely removed by an unnamed official. A letter from the Colorado GOP has been sent to the Colorado Secretary of State's Office and can be reviewed below.
“The passwords were not encrypted or otherwise protected – this means they were available for public consumption. The file appears to have been posted at least since August; the amended version of the file was reposted last Thursday.”
However, while the passwords may have been removed from the Internet on October 24, the passwords weren’t changed until after the Colorado GOP publicly exposed the scandal on October 29.
“Colorado's Democratic Secretary of State Jena Griswold found out on Oct. 24. Her office only started changing the leaked passwords after the issue was made public,” Zelinger reported in a subsequent article:
“A spokesperson for Griswold said the office did not start having any of the passwords changed until the security issue became public on Tuesday. Her office also did not notify county clerks until it became public.”
Thus, anyone who previously obtained the passwords could have, theoretically, used them for a week after the Secretary of State’s office pulled them offline. But, in order to do so, they would have needed a second password and a way past other layers of security.
What's more, county employees and the public were kept in the dark about the password problem until October 29, after the GOP release.
Voting integrity security problems are nothing new to Secretary of State Griswold’s office.
“The reported password leak comes less than a week after Griswold held a news conference to announce a voter fraud scheme in Mesa County had been foiled, but that three of about a dozen stolen ballots had been fraudulently cast there,” The Denver Post reported Tuesday.
In 2022, Secretary of State Griswold’s officer sent postcards to 30,000 non-citizens encouraging them to vote, due to what was deemed a “database glitch.” That same year, Griswold’s office reportedly used the state’s ballot tracking system to send vote-encouraging messages to Colorado citizens who had already voted.
“Given your office’s repeated errors that have damaged confidence in our elections, which you say is paramount, will you resign?” 9News’ Kyle Clark asked Griswold in an interview discussing the leak of passwords revealed this week.
“Absolutely not,” Secretary of State Griswold answered.