The site also posted paintings made by his sonGeorge W. Bush — including purported self-portraits of the 43rd president in the shower and the bath.
A Bush family representative confirmed that the e-mails were stolen but said the family would make no formal statement beyond that.
On Friday, these moments from a famously private family became worldwide gossip. The story tested boundaries of propriety and relevance for traditional news media outlets: At the heart of the story was material that, in another day, might not have been published at all: intensely personal data, gained by apparently illegal means.
The incident also underscored a fundamental contradiction of the Internet age. Millions of Americans rely on the data “cloud” to safeguard the intimate details of their lives, storing them in e-mail inboxes, social-media postings and other digital repositories. People do it despite occasional reminders that, up in the cloud, data can be vulnerable.
On Friday, Secret Service spokesman Ed Donovan said that the investigation is being led by the agency’s criminal investigative division in Washington. Donovan said he could not release any details about the investigation.
The Smoking Gun said the stolen e-mails it had reviewed were dated between 2009 and 2012. In all, the site said, six accounts appeared to have been compromised. Among those hacked were Dorothy Bush Koch, daughter of George H.W. Bush and sister of George W. Bush; as well as sportscaster Jim Nantz, a Bush family friend.
The e-mails were obtained by a hacker called “Guccifer” and posted in an account “that appears to have been hacked for the purpose of hosting the material,” the Smoking Gun said. The site did not release the full cache of hacked e-mails or provide information about how it learned about them.
“I don’t really want to go into any further details,” William Bastone, the site’s editor, said in a telephone interview Friday. He also declined to say how many e-mails the site had reviewed. “They were posted in an online account, which is where we found them.”
Bastone said he did not anticipate that the site would release more of the e-mails or photos. The site’s next story, he said, might not come until the hacker is caught.
The Smoking Gun report included several quotes from the stolen e-mails, which showed intimate moments from the lives of two ex-presidents who have vigorously guarded their privacy in retirement, including sensitive discussions of George H.W. Bush’s poor health.
But there were also lighthearted scenes from the life of the George W. Bush, who has kept a low profile since leaving office in 2009. Apparently, he has been painting.
Two months ago, the Smoking Gun said, the 43rd president sent his sister photos of two paintings he was working on. One was a self-portrait in the shower, viewed from the back and from the waist up. Another showed him in the bath, gazing out at his legs and toes.
But he does not paint only self-portraits. One photo obtained showed him painting St. Ann’s Episcopal Church in Kennebunkport, Maine, near the family compound.
In its report, the Smoking Gun said it had corresponded with the hacker, who told the site that “the feds” had been investigating him for a long time. The Smoking Gun, which identified the hacker only by the alias Guccifer, reported: “Asked if he was concerned about the FBI/Secret Service investigation that will no doubt follow shortly, he replied cryptically, ‘I have an old game with the [expletive] bastards inside, this is just another chapter in the game.’ ”
On Friday, the Bushes seem to be taking the episode in stride.
“This is upsetting, and rightly so” to the Bush family, said Ronald Kaufman, a former adviser to George H.W. Bush and a family confidant. But, he said, they would count themselves lucky if cybertheft was the worst thing that happened to them.
Security experts said that hacking e-mail accounts is not difficult. One common tactic involves sending an e-mail to a target with an attachment or link that looks authentic, thus luring the target to click on or download the file and open software that enables the attacker to steal log-in and password data. That way, the attacker can log in as the victim and gain access to his or her e-mail.
The difficult part is getting the victim to fall for the malicious e-mail — what is called “social engineering” — and applying the right “exploit” or attack tool against the targeted computer.
“The victim needs to be running software for which the intruder has a reliable exploit” that can get the credentials, said Richard Bejtlich, chief security officer for Mandiant, a security firm.
But some hackers don’t need to use malware. In 2010 and 2011, one attacker, using publicly available information, correctly guessed the answers to the “Forgot your Password?” security questions for the e-mail accounts of dozens of celebrities, including Scarlett Johansson and Christina Aguilera.
Rachel Weiner and Ellen Nakashima contributed to this report.