The Washington Post on Thursday alerted users that a data breach compromised an estimated 1.27 million accounts on its job seeker site.
Specifically, the Washington Post said its "Jobs" section experienced a cyber attack by an "unauthorized third party" in what it described as "two brief episodes" June 27 and June 28. The hackers made off with user IDs and e-mail addresses but failed to obtain passwords or other personally identifying data.
The Post warned that the stolen e-mail addresses could be used by the hackers to launch spam attacks or wage targeted campaigns against users.
"We are taking this incident very seriously," the Post said in its alert. “We quickly identified the vulnerability and shut it down, and are pursuing the matter with law enforcement. We sincerely apologize for this inconvenience.”
The Post added that users’ jobs accounts remained secure.
Security experts said that the stolen e-mail addresses will likely be used to execute spearphishing campaigns—targeted attacks enticing users to submit sensitive information or install malicious applications by using social engineering ploys.
"The threat posed by the attack was fortunately lessened by the fact that passwords were apparently not accessed," said Michael Sutton, vice president of security research at Zscaler Labs, in an e-mail. “From the attacker's perspective however, harvesting 1.27 million active email addresses constitutes a successful attack. When e-mail addresses can be sold in the underground market or used to send spam, there's little doubt that the data breach will be leveraged for profit.”
Josh Shaul, chief technology officer for Application Security, maintained that job seekers were particularly susceptible to spearphishing attacks because they are often vigilantly checking e-mails sent from potential employers.
“This database breach is a big deal for those 1.27 million people. Their information is stored in that database because they are looking for work,” Shaul said in an e-mail “They’re so susceptible to spear phishing – it’s impossible to resist looking into the legit looking emails that come in offering you the opportunity to work. It could also be a problem for the people who have jobs and are out looking for better ones. Nobody wants their boss getting a hold of that info – the list could be used to blackmail people as well.”
The Post said that it had implemented additional security measures in an effort to prevent a similar attack in the future, and enlisted the help of law enforcement to examine details surrounding the intrusion. In addition, the Post said it was undergoing an extensive audit of its security systems protecting data on its jobs site.
The Post warned users to avoid opening suspicious or unsolicited e-mails or clicking on links embedded in spammed e-mail messages. The publisher also advised users to avoid handing out personal or financial information, such as credit card numbers, banking information or passwords and usernames, in response to unsolicited messages, underscoring that the publication would never ask them to submit sensitive information over email.
The attack against the Washington Post follows a string of recent hacks against high profile targets, including Sony , Citibank and Google .