Login credentials belonging to Kyle Schutt, a software engineer concurrently employed by the Cybersecurity and Infrastructure Security Agency (CISA) and the controversial Department of Government Efficiency (DOGE), have surfaced in multiple public data leaks stemming from info-stealer malware.
The leak, first detailed by Dropsite News, strongly indicates that devices used by Schutt have been compromised. The situation presents a significant security concern, particularly given Schutt’s reported access, as a DOGE employee, to sensitive government systems, including what Dropsite News described as a “core financial management system”, at FEMA since February.
Info-stealer malware, designed to covertly collect data like usernames and passwords as explained by North Dakota Information Technology, means the full impact of the breach remains difficult to assess.
The appearance of Schutt’s credentials in “stealer logs” is a direct indicator of device infection, a more serious compromise than inclusion in general third-party data breaches.
Cybersecurity expert Micah Lee elaborated that Schutt’s email and passwords appeared in at least four separate stealer log datasets published since late 2023, including a 100GB collection from September 2023 known as “Naz.API” and another set from malicious Telegram channels in July 2024.
Lee stated, “I have no way of knowing exactly when Schutt’s computer was hacked, or how many times,” and acknowledged, “I don’t know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
This incident fuels existing criticisms about the operational security within DOGE, an agency already under scrutiny for its aggressive data acquisition strategies and unconventional methods. The potential for attackers to have already accessed sensitive information is high if Schutt used similar credentials across his government roles.
The steady stream of these published credentials suggests that data Schutt has used for a decade or more has been publicly known at various points.
This breach occurs against a backdrop of DOGE’s expanding influence and CISA’s concurrent struggles, raising serious questions about the security posture of critical government technology functions.
Mounting Concerns Over DOGE’s Operations
The compromise of Schutt’s devices is not an isolated event when considering the Department of Government Efficiency’s track record. DOGE, established by executive order on January 20, 2025, and advised by Elon Musk, has faced repeated scrutiny.
A whistleblower from the National Labor Relations Board (NLRB), Daniel Berulis, previously alleged that in early March, DOGE personnel facilitated a major data breach at the NLRB, exfiltrating sensitive labor data. Berulis, an NLRB DevSecOps Architect, asserted that DOGE engineers demanded “tenant owner level” access to cloud systems and instructed staff “that there were to be no logs or records made of the accounts created for DOGE employees,” a directive he described as “a huge red flag… It violates every core concept of security and best practice.”
The whistleblower’s account also detailed anomalous data transfers, the disabling of security controls, and suspicious login attempts from Russia using valid DOGE credentials.
An internal investigation was allegedly shut down, and Berulis reported facing “targeted, physical intimidation and surveillance.” These prior allegations of demanding high-level access and circumventing standard security protocols paint a concerning picture.
One critic on Mastodon, commenting on DOGE’s security practices, suggested “At this point it’s difficult not to suspect their awful 0pSec is a choice, and that there are specific people (*ahem* *cough cough* the Russians *cough*) to whom they’re leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,”. Further questions about DOGE’s technical competence arose from its own insecure public website and an API key leak at Elon Musk’s separate AI company, xAI.
CISA Under Pressure Amidst DOGE’s Ascent
While DOGE expands its reach, CISA, the nation’s primary civilian cybersecurity agency, has been navigating significant headwinds. The Trump administration’s fiscal year 2026 budget proposal includes a substantial $491 million cut for CISA, a reduction of nearly 17% from its roughly $3 billion budget, as reported by CyberScoop.
The administration’s stated aim is to refocus CISA on federal network defense and critical infrastructure, while eliminating what it terms “weaponization and waste.” An official budget summary stated, “The Budget refocuses CISA on its core mission — Federal network defense and enhancing the security and resilience of critical infrastructure — while eliminating weaponization and waste,” and a senior OMB official told reporters the goal was to “make sure that CISA is actually in the business of cybersecurity, as opposed to disinformation funding and funding grants at the Department of Homeland Security and universities to combat and call extremist half the country who just care about normal conservative things.”
A DHS spokesperson, cited by Cybersecurity Dive, claimed that “Under the Biden administration, CISA neglected their core mission in favor of censoring Americans. The President’s budget eliminates wasteful and weaponized spending and ensures that CISA is laser-focused on the security and resilience of our critical infrastructure.”
This proposed defunding follows a period of considerable internal pressure at CISA, including staff firings and the resignations of senior advisors Bob Lord and Lauren Zabierek, who were spearheading the agency’s “Secure by Design” initiative.
These developments led retired Rear Admiral Mark Montgomery, in a piece for The Hill, to describe the actions as the “gutting” of CISA. House appropriators have also questioned the rationale for such deep cuts amid escalating cyber threats, with Representative Lauren Underwood (D-Ill.) telling Nextgov that “That’s not cutting fat. That’s a death blow,” and suggesting Trump is “offended by” CISA’s mission to secure elections. Another appropriator, addressing CISA’s acting Director Bridget Bean, reportedly said that general statements about reorganizing “that that dog won’t hunt.”
The Broader Landscape of Government Cybersecurity
The security of government data and communications remains a persistent challenge. Beyond the direct compromise of individuals like Schutt, whose Gmail credentials have appeared in 51 data breaches according to Have I Been Pwned (including major breaches at Adobe and LinkedIn), the tools and practices used by officials are also under scrutiny.
For example, a fork of the Signal messenger app named TM SGNL, supplied by Israeli firm TeleMessage and used by Trump administration officials, was found to allow TeleMessage plaintext access to chats despite marketing claims of “End-to-End encryption from the mobile phone through to the corporate archive,” according to TeleMessage’s marketing claims. This led to at least two hacks and a call from Senator Ron Wyden for a DOJ investigation.
The Department of Government Efficiency itself has been aggressively pursuing access to sensitive data across various federal bodies, including Treasury payment systems and OPM personnel files.
These efforts, combined with controversial hires and plans to deploy AI agents to replace potentially 70,000 federal full-time workers, have drawn sharp criticism.
Cybersecurity expert Bruce Schneier warns that DOGE’s actions risks becoming “a National cyberattack”, while former NSA hacker Jacob Williams notes that DOGE personnel “introduced code changes into multiple federal IT systems… not following the normal process for vetting and review.”
The compromise of an engineer with ties to both the established cybersecurity agency CISA and the disruptive DOGE highlights the complex and evolving risks to national security. As of early May, CISA and DHS representatives have not responded to requests for comment regarding Schutt’s compromised credentials.
