Washington Post Jobs Board Hack Compromises 1.27 Million E-Mail Addresses

Washington Post admitted unknown perpetrators accessed its employment Website and stole 1.27 million userIDs and e-mail addresses of its registered job-hunters.

Security experts have long warned that all organizations are vulnerable to cyber-attack and that these days there is no such thing as being "not important enough" to attack. The latest proof comes in the form of Washington Post's admission that its job board had been hacked.

Cyber-attackers hit the Washington Post's job board twice, once on June 27 and again on June 28, the newspaper publisher said on its Website July 6. The "unauthorized party" stole roughly 1.27 million user IDs and e-mail addresses, but passwords to the actual Jobs account and other personal information such as resumes and personal addresses were not compromised.

"We quickly identified the attack and took action to shut it down," the Washington Post said. While it declined to provide details on the vulnerability that allowed the two "brief" breaches to succeed, the publisher said it has been closed.

Users may receive spam as a result of the breach and should avoid opening suspicious or unsolicited e-mails or responding to the messages, according to the Post. The problem is even more serious than that, according to Josh Shaul, CTO of Application Security.

This breach is a "big deal" for the people registered with the job board, as the people registered on the site are job-seekers who would be highly susceptible to spear phishing, Shaul told eWEEK. "It's impossible to resist looking into legit looking e-mails that come in offering you the opportunity to work," he said.

Enterprises and governments alike have to think about their defenses against cyber-attacks, Rick Caccia, vice-president of product marketing at HP ArcSight, told eWEEK. "The best offense is to assume that your organization is the next target," he said.

Organizations need "solid tools and techniques" such as network segmentation and antivirus to defend against traditional attacks and user activity monitoring to detect sophisticated attacks, as attackers are clearly interested in gaining access to sensitive and privileged inside information, Caccia said.

"Information is the new currency, generating enormous returns from the theft of intellectual property," Caccia said.

From the attacker's perspective, this attack was successful even without getting passwords or other sensitive information, according to Michael Sutton, vice-president of security research at Zscaler Labs.
"When email addresses can be sold in the underground market or used to send spam, there's little doubt that the data breach will be leveraged for profit," Sutton told eWEEK.

Shaul said thieves may also be able to use the list for blackmail purposes for people registered on the site who already have jobs and are looking for better opportunities. "Nobody wants their boss getting ahold of that info," Shaul said.

Washington Post said it has implemented additional measures to prevent similar attacks, and is "conducting a thorough audit of the security of the Jobs site."

The incident follows a June 7 cyber-attack on Gannett Government Media, publisher of several high-profile publications for the military and government sector such as Armed Forces Journal, Defense News and Federal Times. Thieves obtained files containing personal identifying information for its subscribers, including first and last name, userID, password, e-mail address and customer numbers. For some military subscribers, ZIP code, duty status, paygrade, and branch of service was exposed.

"Can we all just collectively roll our eyes again, bang our heads against the firewall and ask why companies are still storing customer passwords in plain text in their databases?" wrote Bit9 CTO Harry Sverdlove on the Bit9 blog.