The Washington Post is taking additional security precautions in the wake of a massive breach to its job seeker site, which exposed 1.27 million usernames and email addresses.
On the surface it doesn’t seem like the bad guys have gotten away with much, but gaining additional information on users of a website can be useful to make phishing campaigns even more lucrative.
Josh Shaul, CTO, Application Security Inc.
The company acknowledged the security breach in a message posted Thursday on its website. The attack occurred in two separate incidents on June 27 and June 28. No passwords or other personal information was exposed, the company said.
“We are taking this incident very seriously. We quickly identified the vulnerability and shut it down, and are pursuing the matter with law enforcement. We sincerely apologize for this inconvenience,” the Washington Post said in the statement.
In addition, the company said it was conducting a thorough audit of its website and has implemented additional measures to prevent against similar attacks in the future. The company warned users of its job site to be on the lookout for spam messages.
Security experts warn that cybercriminals could use stolen usernames and email addresses to concoct targeted phishing emails to steal additional information. The Washington Post email breach is similar to the massive data breach in March at Irving, Texas-based Epsilon Data Management LLC, which exposed millions of email addresses. Epsilon handles customer email for a number of big-name banks and retailers, including Best Buy, JPMorgan Chase, CitiGroup, L.L. Bean, Walgreens and the Home Shopping Network.
While there have been no reports of increased phishing as a direct result of the Washington Post breach, security experts say attackers could be looking for additional data. In addition to usernames and email addresses, data revealing individual customer buying habits can be useful data for creating spear phishing messages, said Josh Shaul, CTO of New York-based Application Security Inc.
“On the surface it doesn’t seem like the bad guys have gotten away with much, but gaining additional information on users of a website can be useful to make phishing campaigns even more lucrative,” Shaul said.
A study issued last week by Cisco Systems Inc. found spam declining significantly over the last year as a result of botnet takedowns. It also found many attackers turning to more targeted attacks. While the attacks cost more, they are proven to be more lucrative to cybercriminals, Cisco said.