The Washington Post website has been hit with a double security breach. Malicious hackers have made off with around 1.3 million user IDs and email address from the “Jobs” section of the site. The attackers were able to gain access on two separate occasions: on the 27th and 28th of June.

To their credit, the Washington Post appears to have acted quickly to plug the gap and set up an appropriate response. It appears that user passwords and other personal information remain safe. The Post is currently investigating the incident, has taken steps to prevent against similar attacks, and is “pursuing the matter with law enforcement”.

It appears that the worst that users can expect is an increase in the number of unsolicited SPAM emails, as user accounts on the Jobs website remain secure.

How Did This Happen?

The Washington Post did not specify how the attack occurred, but it is quite possibly SQL Injection, or some other kind of database attack, as it appears that a database was stolen. In an SQL Injection Attack, an attacker injects his own SQL commands into a web server to read from database tables that are normally restricted. It is one of the most popular types of attacks against websites and can be used to steal entire databases.

How was the Incident Detected?

The incident could have been detected in a variety of ways. The Post might have noticed a surge in traffic to the Jobs website, looked at the log files and performed a web application vulnerability scan. This would have pointed out possible attack vectors and pinpointed the avenue of attack. It is also possible that the leak was discovered after users reported increased levels of SPAM and/or attempts at phishing.

Nobody has come forward and claimed responsibility, and the Washington Post has not pointed any fingers yet. At this point, one can only speculate.


The actual amount of personal information stolen is considerably less as compared to other recent high-profile attacks. “Only” 1.3 million user IDs and email addresses were stolen. The Washington Post acted quickly to detect and plug the gap. However, a clever attacker can leverage that information through certain malicious techniques.

The most obvious would be adding the users to a SPAM mailing list. Email SPAM is the sending of unsolicited messages to a large list of addresses. It is the digital equivalent of junk mail. The emails will be unwanted and typically sent in bulk.

If the attackers are looking to steal sensitive information, a common attack is phishing. Phishing is the digital equivalent of social engineering. It is a way to gain sensitive details from a user by posing as a trustworthy company. It is one of the leading causes of identity theft.

The typical phishing example would be a stern, official-looking email, appearing to come from a major bank. The email would usually request that the reader clicks a link and “verifies” some sensitive information.

The attackers can use the associated user IDs that they stole and pose as the Washington Post Jobs website itself. The users might be more likely to respond to the phishing emails if it contains their user ID for the website in question. This targeted form of phishing is called spear-phishing.

Lessons Learned

It is almost a statistical certainty that companies are going to get hacked. The steps that the company takes after the attack are just as important as the preventative steps before.

It is important to have a quick and effective incident-response setup in place. Thankfully, the Washington Post Jobs site appears to, as it acted very quickly to patch the problem and warn its users. The obvious example to the contrary would be Sony, who suffered weeks of delays.

The preventative measures are important. It is essential that SQL injection vulnerabilities are scanned for and fixed. Websites are constantly changing, opening up new defects in previously-secure areas of the site.

In this day and age, there is no end to the ingenuity of the attackers and the lengths that they go through to gain access. Just like a cat-and-mouse game, it is ever more important that web administrators take every measure to stay ahead of the curve.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.