It’s been just one week since Donald Trump’s inauguration and there have already been a series of cybersecurity blunders from the President and his administration. First was the news that senior members of his staff are allegedly using private email servers, then came reports that Trump was holding on to his old, unsecured Android phone, and now it looks as if Press Secretary Sean Spicer has been tweeting out passwords.

The first instance happened on Wednesday when Spicer posted “Aqenbpuu” on his boss’ favorite social media platform. The tweet was hastily deleted but not before being screengrabbed by a number of users, including hacktivist group Anonymous.

Things got even stranger the following day, when Spicer posted another mysterious Tweet, this one looking even more like a password. Some users theorized that this might be a failed attempt to enter Twitter’s two-factor authentication code, but, as The Next Web notes, the security feature uses only numerical codes, whereas Spencer’s Tweet includes letters.

There’s always the chance that both of these were pocket Tweets – the first one certainly looks that way. It’s important to remind people not to try and access any of Spencer’s accounts using these possible codes, as that would be illegal under the Computer Fraud and Abuse Act (and they’ll have been changed by now, anyway).

According to TechCrunch, another theory is that Spicer was using the SMS service Cloudhopper, which Twitter acquired back in 2010. He could have sent someone a password over SMS and, being in the wrong thread, tweeted it by mistake. But whatever the reason, it’s another embarrassing incident for Trump’s team.