With just under three weeks to go until election day, a new report from VoterGuard being released in partnership with Defending Digital Campaigns found over 27,000 accounts associated with political campaigns readily available online including account passwords and other sensitive personal information. 

Political campaign staff members and anyone associated with a campaign are considered high-risk users. This publicly findable information substantially increases the vulnerability of individuals and campaigns to attacks like phishing and accounts being taken over. 

Spear phishing was used to attack the Trump campaign in August as well as attempted attacks on the then-Biden campaign. This is a reminder that protecting accounts is step one for anyone associated with a political campaign. New initiatives from the industry like enabling passkeys on accounts make them virtually unphisable - even if passwords are publicly available - and are fast and easy to implement.

We sat down with Andrew Schoka, founder of VoterGuard and a former US Army Cyber Warfare Officer to talk about the key takeaways from the report. 

Q 1. What is the VoterGuard 2024 Election Threat Report and what is the greatest insight the report reveals?

VoterGuard was launched because we were passionate about empowering political organizations to better defend themselves against cyber threats. The 2024 Election Threat Report is our effort to share the most pressing risks we’ve identified for political parties and campaigns at all levels as we approach the 2024 elections.

The biggest takeaway from our report is the alarming amount of personal information exposure—over 66,000 accounts linked to political organizations were publicly discoverable through vectors like misconfigured web pages or unsecured file-sharing tools. Of the 66,000 exposed accounts in recent data breaches, 27,000 account passwords and other highly sensitive personal information were also available. This exposure makes phishing and cyberattacks much more likely, especially for local campaigns where cybersecurity resources are often stretched thin. Importantly, these threats don’t care about party lines—both sides of the political aisle are being targeted by malign actors this election cycle. 

Q 2. The report highlights personal information exposure as a significant issue. Why is this a risk for campaigns and political party staff?

In our report, we differentiate between accounts that are exposed and those that are breached.

• Exposed accounts are those we were able to find through publicly accessible sources like insecure file-sharing services or misconfigured web pages. These accounts may not have been part of a data breach, but they’re still vulnerable because their existence—and sometimes details like email addresses or usernames—are publicly visible.

• Breached accounts, on the other hand, are those whose information—such as passwords or sensitive personal details—has already been compromised in a known data breach. Once an account is breached, attackers can easily use the stolen information to gain access to other accounts if the same credentials are reused.

Both exposed and breached accounts present significant risks, but breached accounts are especially dangerous because attackers can immediately use stolen passwords or personal details to access campaign systems. Even if a password hasn’t been exposed, attackers can still use the publicly available details from exposed accounts to craft convincing social engineering or phishing attacks. For local campaigns, where volunteers and staff often use personal emails and repeat passwords, this significantly increases the chances of account takeover. 

Q 3. VoterGuard's report mentions a significant amount of publicly available campaign and party data. Why is this a concern and how could bad actors exploit it?

Publicly available campaign data is a goldmine for attackers. For smaller campaigns without the resources for comprehensive cybersecurity, it’s even more concerning. Attackers can use this information to craft highly targeted “spear-phishing” attacks, where they impersonate trusted people within the campaign to steal sensitive information.

Studies show that accounts exposed in data breaches are around 5x more likely to be targeted by phishing. Spear-phishing attacks that use personal information are even more dangerous, with success rates over 50%. As we highlighted in the report, this risk is bipartisan, and both major political parties are equally vulnerable to the threats posed by exposed and breached accounts.

Q 4. Your findings on website vulnerabilities, particularly DMARC adoption, were eye-opening. Can you elaborate on how these vulnerabilities impact campaigns and what steps can be taken to mitigate them?

DMARC is a crucial tool to help organizations protect against the risks of email spoofing. In our analysis, we found that over two-thirds of campaigns and parties had not yet implemented a secure DMARC configuration for their email domains. Without DMARC, bad actors can spoof campaign email addresses and send fraudulent messages to donors, voters, or campaign staff, tricking them into sharing sensitive information or downloading malware.

To mitigate this risk, campaigns should implement DMARC enforcement through tools like ValiMail, which can help organizations automate the process of implementing a secure DMARC configuration. This is a great “set-it-and-forget-it” solution that can dramatically reduce the risk of phishing attacks that target campaigns and their supporters. This offering is available to eligible campaigns for free through DDC. 

Q 5. What practical steps can campaigns and political organizations take right now to address the security gaps highlighted in your report, especially as the 2024 elections approach? 

The good news here is that we’re not defenseless, and the political tech community has a ton of tools at its disposal to stop the bad guys. Every campaign should take the time to set up multi-factor authentication, use secure communication tools, and double-check security settings for key accounts like web administrators and social media pages. 

There are also a lot of excellent free resources for campaigns, like Google's Project Shield for protecting campaign websites and CISA's Election Security Toolkit for election-related organizations of all sizes. 

Q 6. How did you gather the data for this report? Could you walk us through the research process and explain how you identified the key security risks for campaigns and political parties?

The data for this report comes from VoterGuard’s Election Threat Monitoring Platform, which is the foundation of all of our work in political party cybersecurity. We start by mapping out an organization’s entire digital footprint, from its domain to any associated services, exposed accounts, or vulnerabilities in its infrastructure. Then, we layer in threat intelligence feeds and data sources that look across the deep and open Web to find at-risk accounts, look for data breaches that involve the organization, and spot any signs of potential compromise.

We fuse all of this data into a comprehensive digital risk assessment that highlights the most pressing security concerns for an organization. Because our platform runs continuously in the cloud, we’re also constantly assessing for any changes to an organization’s risk posture and can identify potential cyber threats in real-time. The 2024 Election Threat Report is a “snapshot” of these risks across the political landscape, highlighting the biggest security concerns facing campaigns today.

Q 7. Your report focuses on the 2024 elections. How do the security threats you've identified compare to those seen in previous election cycles?

Compared to previous election cycles, the 2024 cycle has seen a significant increase in both the sophistication and scale of cyberattacks targeting political organizations. We’ve observed more targeted efforts by nation-state actors and cybercriminals alike, with tactics ranging from phishing and disinformation campaigns to more advanced AI-driven attacks.

The 2024 election has also seen a surge in attacks against down-ballot races and candidates in state-level races, especially in swing states. What’s clear from our research is that no campaign is too small to be targeted—local elections are facing global threats, and campaigns need to take proactive steps to defend themselves.