Colorado officials say election equipment updated in wake of password leak

Colorado officials said Friday that state employees had completed the process of updating passwords on elections equipment across the state that had been affected by the improper disclosure of certain system passwords.

Employees were deployed to affected counties across the state to coordinate with local elections officials, update the passwords and review access logs to ensure that no systems were compromised. The effort “concluded successfully Thursday evening,” the office of Colorado Secretary of State Jena Griswold said in a press release.

“We appreciate the swift work to update these passwords and provide voters confidence in Colorado’s elections system,” Gov. Jared Polis, a Democrat, said in a statement. “While the leaked passwords compromised just one of many layers of security that protect our election integrity in Colorado, we knew it was critical to take swift action and to work with Secretary Griswold and the county clerks to update the passwords immediately.”

Griswold disclosed on Tuesday that a document posted to her office’s website included a hidden but accessible worksheet containing Basic Input Output System — or BIOS — passwords. The passwords reportedly were for more than 700 election system components in every Colorado county except Las Animas. The leak reportedly was brought to her office’s attention by an affidavit sworn by an unnamed person and shared in a mass email this week by the Colorado Republican Party.

By Thursday, eight staff members from the Colorado Department of State and an additional 22 state cybersecurity employees had been dispatched to affected counties to complete the process of changing the passwords. The employees worked in pairs under the supervision of local elections officials.

“This password disclosure never posed an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted,” the secretary of state’s office said. “Changes to passwords were made out of an abundance of caution.”

In the days following the leak’s disclosure, county clerks from both parties as well as independent election security experts have echoed that assessment. Duncan Buell, a computer scientist who researches election systems and serves as the chair emeritus of the Computer Science and Engineering department at the University of South Carolina, told Newsline Wednesday that while the leak is “concerning,” he believes “there are sufficient safeguards in place that this is not a disaster.”

The Colorado County Clerks Association said Thursday that anyone in possession of the BIOS passwords who wished to tamper with elections systems would still “require physical access to the voting equipment, something strictly controlled by each county clerk and monitored 24 hours a day, seven days a week by video surveillance.”

“I want to thank Gov. Polis for deploying extra state resources to help in this effort,” Griswold, a Democrat, said in a statement. “Colorado has many layers of security to ensure our elections are free and fair, and every eligible voter should know their voice will be heard.”

Editor’s note: This story first appeared on Colorado Newsline, which is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Colorado Newsline maintains editorial independence. Contact Editor Quentin Young for questions: info@coloradonewsline.com. Follow Colorado Newsline on Facebook and X.