1.27 Million E-Mail Addresses Compromised in Washington Post Jobs Board Hack

By CIOinsight  |  Posted 07-08-2011 Print Email
Washington Post admitted unknown perpetrators accessed its employment Website and stole 1.27 million userIDs and e-mail addresses of its registered job-hunters.
Security experts have long warned that all organizations are vulnerable to cyber-attack and that these days there is no such thing as being "not important enough" to attack. The latest proof comes in the form of Washington Post's admission that its job board had been hacked.

Cyber-attackers hit the Washington Post's job board twice, once on June 27 and again on June 28, the newspaper publisher said on its Website July 6. The "unauthorized party" stole roughly 1.27 million user IDs and e-mail addresses, but passwords to the actual Jobs account and other personal information such as resumes and personal addresses were not compromised.

We quickly identified the attack and took action to shut it down, the Washington Post said. While it declined to provide details on the vulnerability that allowed the two "brief" breaches to succeed, the publisher said it has been closed.

Users may receive spam as a result of the breach and should avoid opening suspicious or unsolicited e-mails or responding to the messages, according to the Post. The problem is even more serious than that, according to Josh Shaul, CTO of Application Security.

This breach is a "big deal" for the people registered with the job board, as the people registered on the site are job-seekers who would be highly susceptible to spear phishing, Shaul told eWEEK. "It's impossible to resist looking into legit looking e-mails that come in offering you the opportunity to work," he said.

Enterprises and governments alike have to think about their defenses against cyber-attacks, Rick Caccia, vice-president of product marketing at HP ArcSight, told eWEEK. "The best offense is to assume that your organization is the next target," he said.

Organizations need "solid tools and techniques" such as network segmentation and antivirus to defend against traditional attacks and user activity monitoring to detect sophisticated attacks, as attackers are clearly interested in gaining access to sensitive and privileged inside information, Caccia said.



 

Submit a Comment

Loading Comments...