Do Son 
The credentials of an employee affiliated with two prominent U.S. government entities—the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Government Efficiency (DOGE)—have surfaced in publicly accessible data repositories, having been exfiltrated by malware. This discovery suggests that the official’s devices were compromised in recent years.
According to Dropsite News, in February, 30-year-old software engineer Kyle Shutt gained access to the core financial management system of the U.S. Federal Emergency Management Agency (FEMA). While employed at DOGE, he interacted with FEMA’s proprietary software, used for allocating grants for disaster recovery and other purposes. At CISA, Shutt likely had access to sensitive data concerning the security of civilian government networks and critical infrastructure across the United States.
Journalist Micah Lee discovered that the credentials for various of Shutt’s accounts have been posted online at least four times since early 2023. These credentials were leaked via logs collected by infostealer malware, which typically infiltrates devices through infected applications, phishing attacks, or software vulnerabilities. Beyond credential theft, such malware can log keystrokes, capture screen images, or record continuous video of on-screen activity. The harvested data is then transmitted to attackers and subsequently either made public or sold on underground markets.
“I can’t determine precisely when Shutt’s computer was compromised or how many times it happened,” Lee writes. “I have very little information about the origin of these infostealer log sets. It’s possible the breaches occurred years ago and the logs were only recently released. But it’s also possible that the compromises are much more recent.”
The data breach monitoring service Have I Been Pwned indicates that the login and password for Shutt’s Gmail account appeared in 51 database breaches and five separate dumps. Major incidents include the 2013 Adobe breach affecting 3 million users, the 2016 LinkedIn breach compromising 164 million accounts, the 2020 Gravatar breach impacting 167 million users, and last year’s leak from the conservative news outlet The Post Millennial.
As Lee notes, the presence of digital credentials in such breaches does not necessarily imply weak password practices or direct user compromise. Often, the breaches stem from vulnerabilities in the services themselves. However, the recurring appearance of Shutt’s credentials over the past decade strongly suggests that his passwords have fallen into malicious hands multiple times.
If Shutt reused or employed similar password combinations for his work with CISA and DOGE, attackers may have gained access to the confidential information he handled. The existence of four separate infostealer log sets further corroborates that at least one of his devices was definitively compromised.
Critics of DOGE argue that Lee’s findings align with broader security lapses within the agency. These include a website open to editing by anyone, and unprecedented access to various government systems, including the federal payroll platform.
“At this point it’s difficult not to suspect their awful OpSec is a choice, and that there are specific people (*ahem* *cough cough* the Russians *cough*) to whom they’re leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda. That line in Hegseth’s office, for example, wasn’t installed by Comcast, was it? Only DOGE and Starlink, with direct authorization of Putin’s puppet in the White House, could have bypassed all security measures,” one critic posted on the social network Mastodon.
CISA and the Department of Homeland Security, which oversees the agency, have yet to issue an official statement.
Donate