A hacker claiming affiliation with the group Anonymous has broken into GOP vice-presidential nominee Sarah Palin's Yahoo e-mail account, subsequently posting the account password to an online chat forum. Information from the hacked account, including screenshots of several individual e-mails, a pair of family photographs, Palin's contact list, and header information from her inbox, were posted on the site Wikileaks earlier Wednesday.

The break-in comes amid controversy over the Alaska governor's use of the Yahoo e-mail account for state business. Internal documents obtained by reporters allegedly show Palin staffers discussing the possibility of using unofficial channels, such as personal e-mail accounts, as a means of evading subpoenas and requests under the state's open records law targeting her official account.

Though criticism of Palin's use of the Yahoo account had largely focused on worries about transparency, Donald Mitchell, the attorney for an Alaska citizen-watchdog who had been seeking disclosure of the governor's e-mail records, also broached security concerns. "There's a reason the governor should be using her own official e-mail channels, because of security and encryption," Mitchell told The Washington Post, "She's running state business out of Yahoo?"



Screenshot of the compromised inbox

Though the authenticity of the released material was initially questioned, the McCain-Palin campaign today confirmed what it called a "shocking invasion of the Governor's privacy and a violation of law." The account hacked was not the publicly-known "gov.sarah@yahoo.com" but a second, private address apparently used by close friends and family, "gov.palin@yahoo.com." The public profiles for those accounts have since been deleted, though Yahoo would not confirm whether the same was true of the accounts themselves.

According to a timeline compiled by users at the online chat board 4Chan, an anonymous poster appeared on the "Random" board known as /b/ (NSFW), claiming to have accessed Palin's account. Skeptical posters apparently dismissed the claim as a hoax, until the hacker posted the password (he had changed it to "popcorn"), prompting groups of forum users to log in. One of these—who appears to be the source of the documents released on Wikileaks—subsequently changed the password and notified one of Palin's assistants via e-mail. That user, however, inadvertently included the new password in the released screenshots, prompting a second flood that triggered Yahoo's security lockdown.



One of the screenshots of Palin's account

The fate of e-mails stored in those accounts—as well as the accounts themselves—is now unclear. A source at Yahoo could neither confirm nor deny their deletion, but did tell Ars that any e-mails emptied from an account's trash were not "readily" available to Yahoo. The source also indicated that the company cooperates with legitimate orders for records. In addition to the citizen-watchdog's request, the e-mails are also implicated in an ongoing ethics investigation into whether Palin improperly fired a subordinate, who had resisted pressure to oust an Alaska state trooper then involved in a messy divorce and custody battle with Palin's sister.

The information published to date does not appear to have been especially sensitive—one is a supportive message from a colleague; in another, Palin commiserates with her lieutenant governor about attacks by a political opponent. But if multiple parties had access to the account, it's at least possible that e-mails may have been obtained by intruders. The McCain campaign noted that the matter had been referred to the FBI and Secret Service, and expressed a "hope that anyone in possession of these e-mails will destroy them."

A spokesman for the group Anonymous denied any involvement in or knowledge of the hack. But since Anonymous is an inchoate activist/prankster group coordinated through forums like 4Chan, there doesn't appear to be any clear criteria for who counts as a "member."

If Palin's recourse to the popular Web mail service was an attempt to dodge disclosure requirements, it has clearly backfired. The effect of the incident on the ongoing investigation is uncertain, but it suggests that the use of unofficial accounts for government business is troubling, not just as an obstacle to open-government rules, but on security grounds as well.