Ah, so finally the detail. The site was apparently an ASP.NET site, and they were putting the whole SSN into the "VIEWSTATE" object.<p>Which looks something like this in the html:<p><input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="BASE64STUFFHERE="><p>There is a choice to encrypt it, but I'm skeptical how useful that is, or that it was enabled in this case.<p>So the "hack" was "view source" -> decode some base64 data sitting in plain sight.<p>Edit: A little bonus. This bizarre video from a PAC the governor started, still trying to call this "hacking": <a href="https://www.youtube.com/watch?v=9IBPeRa7U8E" rel="nofollow">https://www.youtube.com/watch?v=9IBPeRa7U8E</a>
If you care about this issue, please consider signing this petition urging Governor Parson to apologize.<p><a href="https://www.change.org/p/governor-parson-apologize-to-st-louis-post-dispatch-which-responsibly-disclosed-data-leak" rel="nofollow">https://www.change.org/p/governor-parson-apologize-to-st-lou...</a><p>Do petitions accomplish much? I don't know. Still, someone needs to tell this guy he's an idiot.
Decoding viewstate might technically be illegal according to the DMCA, but shouldn't be and if the journalist is convicted they should be immediately pardoned.
The Computer Fraud and Abuse Act outlaws "unauthorized access". The website owner clearly did not authorize access to that, so the letter of the law may have been violated. Maybe the law should require malice, criminal intent, and actual harm to have happened for "unauthorized access" to be a crime.