They were using mailman, which means each member had their own password, which was emailed to them in plain text once a month. There is also a master list password, which would be known to whoever managed the master list (used to be David Gerard, but I imagine not so anymore), and a master server password, which would be known to whoever runs the software (WMF technical team, I assume).
The thing is, these passwords are (as I mentioned) emailed to each member once a month, in plaintext. If one of the Arbs were to have been so foolish as to use a public access unencrypted WiFi to access their email, that would have allowed anyone with enough competence to run firesheep to capture a login cookie to their email account, and from that our intrepid hacker could have gotten anything that was presently in their email, presumably including that plaintext password. From there, the rest is gravy: log into the mailman archives with that password and download all the archives.
There are fairly simple steps that can be taken to avoid this sort of compromise, but fairly few people take them, and with eighteen people on the ArbCom it's a fair bet that at least one of them was not.
|