Over a million email addresses stolen from Washington Post

US NEWSPAPER The Washington Post has warned users of its Jobs web site that their email addresses were exposed during a recent security breach, which involved an unauthorised party obtaining access to the data.

The incident occurred last month, on 27 June and 28 June, and the attackers apparently exploited an undisclosed vulnerability in the web site.

"We quickly identified the attack and took action to shut it down. We also have implemented additional measures to prevent against a similar attack in the future, and we are pursuing the matter with law enforcement," The Washington Post said in a statement.

The company estimates that around 1.27 million email addresses and user names were exposed during the intrusion, but stresses than no passwords were compromised.

The breach did not affect people's personal information or other sensitive details that could have exposed them to identity theft risks, however the leak of email addresses should not be taken lightly.

Since most people register on recruitment web sites with their primary and active email addresses, the list would prove to be a valuable resource for any spammer.

Furthermore, knowing the origin of the addresses, attackers can now craft believable phishing emails purporting to come from The Washington Post in order to extract more sensitive information from users.

There are precedents for such attacks. Last December, Walgreens customers received phishing emails after the company's client contact list was stolen from a marketing partner. Back in April, the Better Business Bureau (BBB) reported phishing attacks targeting customers affected by a breach at large email service provider Epsilon Data Management.

In addition, since the emails originated from an online jobs portal, hackers can recruit people to launder money without their knowledge. Victims of such schemes are known as money mules and end up believing that they work as account managers for foreign companies when in fact they're moving stolen money out of the country on behalf of international fraudsters.

Users registered on the Washington Post Jobs web site are advised to exercise caution when dealing with future emails purporting to come from potential employers. They should perform background checks and confirm any requests over the phone.

The Washington Post is in the process of auditing the security of its Jobs web site in order to identify and resolve any other vulnerabilities that could put customer information at risk in the future. µ