While attention has focused on the potential to penetrate voting machines, a ProPublica survey found that more than one-third of counties overseeing toss-up congressional elections have email systems that could be vulnerable to hacking.

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information.

A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password — potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. “This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

The email vulnerabilities emerged in ProPublica’s survey of election security in 27 counties encompassing all or part of roughly 40 congressional districts that the Cook Political Report has said are toss-ups. These contests could determine if Democrats take control the U.S. House of Representatives, where the party needs to pick up about two dozen seats to flip the current Republican majority. Of the 12 districts in counties with less protected email systems, Republicans are seeking re-election in 10. The other two are open seats where incumbents are stepping down.

Much attention has focused on the potential to hack voting machines. In the “Voting Village” at the Def Con security conference this summer in Las Vegas, hackers sought to compromise a handful of machines. But lax protections for internet-connected systems like email servers may pose just as serious a threat.

The lack of two-factor verification may have helped Russian hackers ultimately gain access to the Democratic National Committee’s network in April 2016, according to a federal indictment. Prosecutors say a Democratic campaign employee unwittingly put her password into a spearphishing email – a targeted message meant to dupe users into sharing their login information. Russian hackers also tricked John Podesta, Hillary Clinton’s campaign chairman, into handing over his password, enabling an embarrassing leak of his emails weeks before the election.

Even a program created by the Kansas secretary of state’s office to prevent voter fraud was vulnerable to snooping, ProPublica reported last year. The program, Crosscheck, sought to identify voters casting ballots in more than one state by comparing the rolls across states. But its files were hosted on an insecure server, and program officials regularly shared user names and passwords—many of them overly simplistic—for the site by email as late as 2017. Crosscheck paused operations in 2018 because of concerns about security and accuracy, and it is unclear when it will begin matching rolls again. The Kansas Secretary of State’s office did not return a request for comment.

A different kind of cyber-attack in 2016 manipulated the software code behind Illinois’ voter-registration system to expose the personal details of thousands of people. Matt Dietrich, a spokesman for the state board of elections, said the flaws that allowed the penetration have been fixed. Special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials said was very likely the attack on the voter registration database.

“This wasn’t about to steal votes, but to create havoc,” Dietrich said. “If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: That the United States can’t run a competent election.”

Using a checklist developed by Harvard’s Belfer Center for Science and International Affairs, ProPublica asked county election officials about their email systems, as well as about cybersecurity protections for voting machines and computers that check in voters at polling sites. Voter registration is generally handled at the state level, while counties administer elections and are responsible for protecting voting machines and verifying end-of-night vote tallies that determine winners.

Get Our Top Investigations Subscribe to the Big Story newsletter.

Funded by local taxes, counties are generally run by elected commissioners and often have centralized IT staff overseeing email services for departments ranging from the medical examiner to public works. As a result, elections officials have to compete for IT resources and attention.

Most of the counties interviewed said they had bulletproofed their computer systems and voting equipment. Joel Miller, an election official in Linn County, Iowa, said the county has recently put in place two-factor authentication requirements for its email systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The counties with vulnerable email systems ranged in population from Orange County, California, with 3.1 million people to Olmsted County, Minnesota, with 155,000. Orange County elections director Neal Kelley said he’d prefer to have two-factor authentication. It hasn’t been implemented yet, but is “on the short horizon,” he said. There are two toss-up House races in Orange County.

Noah Praetz, the director of elections for Cook County, Illinois, except the city of Chicago, said his office “lacks a little bit of control” when it comes to changing IT systems because the county-run network serves more than 24,000 employees. He said the county government doesn’t require two-factor authentication for employees to log into emails.

One county reported two problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its electronic voting machines don’t produce a separate paper trail for voters to verify their choices. Nor does it use two-factor authentication on its email system. Fayette, one of the state’s largest counties, is home to a chunk of Kentucky’s 6th congressional district, where a once-safe Republican incumbent is facing an unexpectedly competitive challenger.

Don Blevins, the Fayette elections chief, told ProPublica his county is not at risk for an email hack that would affect voting or registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the counties without two-factor authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; King County, Washington; and Harris County, Texas.

Some counties have secured their emails but had other shortcomings. Shawnee County, Kansas, said it doesn’t yet have countermeasures to stop hackers from bringing down its website by overloading it with malicious traffic. If such a denial-of-service attack takes the site offline, election commissioner Andrew Howell said, officials would instead publish election results on social media.

Five of the 27 counties surveyed did not respond to multiple emails or phone calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. law enforcement officials and cybersecurity experts have been working with states in the months leading up to the November midterms to improve election security. States are using some of the $380 million in newly earmarked federal funds to test for vulnerabilities and recruit and train IT staff, according to congressional testimony from the National Association of Secretaries of State.

Fixing technical problems isn’t cheap, and county governments have had to make hard choices when prioritizing spending. Tammy Patrick, a former election administrator in Arizona and now a senior adviser at the nonprofit Democracy Fund, said counties may consider it more urgent to replace outdated voting machines than to fix email systems.

That said, even short-lived IT security problems may have a corrosive effect on public trust in the accuracy of ballot results. “The last thing you want to do on Election Day is face problems you could have easily dealt with before then,” Hall, the technologist, said. “Officials will dismissively say, ‘It hasn’t happened to us.’ But with that attitude, you’re building a castle on sand.”

Cybersecurity In Toss-Up Races We asked: Do the email systems you use to communicate employ or require two-factor authentication? State County House district(s) Incumbent(s) Party Two-factor authentication? Illinois Cook 6 Roskam R No Kentucky Fayette 6 Barr R No Minnesota Olmsted 1 (Open) D No Iowa Linn 1 Blum R No; requested Minnesota Dakota 2 Lewis R No Colorado Arapahoe 6 Coffman R No Ohio Hamilton 1 Chabot R No Minnesota Hennepin 3 Paulsen R No; in progress Washington King 8 (Open) R No; in progress California Orange 45, 48 Walters, Rohrabacher R, R No Texas Harris 7 Culberson R No California San Joaquin 10 Denham R Unknown California Los Angeles 25, 39 Knight, (Open) R, R Yes Illinois Madison 12 Bost R Yes Iowa Polk 3 Young R Unknown Kansas Shawnee 2 (Open) R Unknown Kansas Johnson 3 Yoder R Yes Maine Penobscot 2 Poliquin R Yes Michigan Oakland 8 Bishop R Yes Michigan Wayne 11 (Open) R Unknown Minnesota St. Louis 8 (Open) D Unknown New Jersey Ocean 3 MacArthur R Unknown New Jersey Essex 7 Lance R Unknown New York Dutchess 19 Faso R Yes New York Oneida 22 Tenney R Unknown Texas Dallas 32 Sessions R Unknown Virginia Chesterfield 7 Brat R Yes

Ally Levine, Lilia Chang and Blake Paterson contributed to this report.