Login credentials belonging to several Martin County, Florida, election officials were inadvertently exposed by what an election security researcher says was an unsecured backup database that had likely been publicly accessible since 2017.
The California-based security firm UpGuard said Thursday that more than 1,200 accounts assigned to county officials—at least six of which were assigned to election supervisors—were left publicly accessible by a third-party IT vendor. The data included email address, hashed passwords, and timestamps indicating each users’ creation date and last login.
Chris Vickery, UpGuard’s director of risk research, said he discovered the database while hunting for potentially sensitive election materials online. He notified Martin County officials of the exposure on September 18 and the database was secured shortly after. Only those with control of the database can confirm whether anyone else gained access, he said.
An attorney for the Martin County Administration Center said Thursday that the database contained obsolete data and emphasized the database is not the property of Martin County’s election supervisor, which is an elected office.
It was not immediately clear whether or when the passwords, which provided access to the county’s intranet and web presence, according to UpGuard, had been changed. The county attorney said he was not authorized to answer questions from the press.
Vickery warned that a single leaked password is sometimes all a hacker needs to compromise an entire network. “The backups database we found was not the same system that processes votes. However, the risk of someone pivoting to election systems once a county network is compromised is real,” he said.
Once a sophisticated hacker gains a foothold in a network, they often seek to escalate their access while moving across various networked devices and exploiting bugs and misconfigurations. They can plant malware designed to quietly steal information or wreak havoc by wiping critical files. Information gleaned from a network can be used to perform social engineering attacks via phone or email in an effort to gain further privilege on the network.
Though the passwords leaked by Martin County’s vendor were hashed, or mathematically scrambled, it is sometimes trivial, depending on the hashing scheme, for the passwords to be cracked and made once again legible, particularly for hackers with access to state resources. The SHA-256 hash algorithm used to store the county’s passwords may not pose a significant challenge to a state-sponsored attacker, particularly if the passwords are not properly complex.
Sensitive credentials stored on cloud storage devices, such as Amazon S3 buckets, are frequently left exposed to the public, often by fault of third-party vendors. Hackers have developed a variety of automated tools designed to scan the internet for S3 buckets whose files aren’t password protected.
Florida carries 29 electoral votes, the third-most in the country, and will once again serve as a key swing state in the presidential race. As of Friday morning, former Vice President Joe Biden holds a razor-thin 1.2-point advantage over incumbent President Trump, according to RealClearPolitics’ polling average for the state.
Florida’s 18th congressional district encompasses the whole of Martin County, as well as St. Lucie County and the northeastern part of Palm Beach County. Republican Rep. Brian Mast, the incumbent candidate, faces a challenge from Democratic candidate Pam Keith, who ran for the seat in 2016 but lost in the primary.
The Intercept reported this week that Mast, who appears to have the upper hand in the race, is facing opposition from an independent candidate, K.W. Miller, who has repeatedly posted hashtags used exclusively by the far-right QAnon conspiracy movement (which asserts Trump is secretly fighting a classified war against a global network of Satanic pedophiles).
Miller called for Mast’s resignation in August after the South Florida newspaper Sun Sentinel reported on old social media posts in which Mast jokes about rape and sex with 15-year-old girls.
Intelligence officials have repeatedly warned that America’s adversaries view the election as an opportunity to undermine confidence in democratic institutions and that threats often come in the form of cyberattacks targeting election infrastructure. So-called “hack-and-leak” operations are commonly employed, as was the case in the 2016 general election.