

Washington Post Hacked: 1,270,000 Emails and User IDs Compromised - d0ne
http://www.washingtonpost.com/wp-srv/jobs/product-pages/fraud-email.html

======
TeHCrAzY
They don't see the potential impact of associating a particular username from
a jobs website with an email address?

I would be concerned about more targeted phishing attacks: I tend towards
using my real name as my username on job websites, and given a list of
usernames and emails, I'm very sure you could produce some more believable
phishing emails than regularly received.

Edit: Thinking more on this, it would be reasonable in any of these email +
username exposures to simply apply a filter of common names, and then use them
in a more legitimate looking email. I don't see much of this in my spam (my
email address is firstnamelastname@domain.com, and my first name is common),
so I would take a stab and say that perhaps the number of people likely to
fall for this would not significantly increase with improvement in the quality
of the initial email.

~~~
biot

      From: security@washingtonpost.com
      To: [your email]
      Subject: Washington Post Vulnerability Update
    
      Dear [name],
    
      Our initial investigation revealed that an unauthorized third party managed 
      to retrieve the list of user IDs and email addresses associated with 
      Washington Post Jobs accounts, of which yours was one.  Our security team 
      has performed a more thorough audit of the attack which resulted in the 
      exposure of your information and has determined that the unauthorized third 
      party was also able to gain access to encrypted passwords.
    
      Because the passwords were encrypted, it is unlikely that the attackers will 
      be able to access your Jobs account.  However, due to the very small chance 
      that this unauthorized third party may be able to decrypt your password, we 
      are requiring every Jobs account holder to change their password within the  
      next 48 hours.  Failure to change your password will result in your account 
      being permanently locked out.
    
      To further enhance the security of our Jobs site, you will need to specify 
      your existing password as well as your new password.  Your new password must 
      be at least eight characters long and have one or more upper case letters, 
      one or more lower case letters, and one or more numbers or symbols.  Please 
      change your password at the following URL:
    
      [link to phishing site that looks like Washington Post's Jobs site with a
       realistic password change form that will dutifully accept your email and 
       current password and enforce the new password requirement for good 
       appearances]
    
      Sincerely,
    
      Washington Post Jobs Customer Service

~~~
TeMPOraL
Wow. That looks legitimate.

    
    
      we are requiring every Jobs account holder to change their password within the  
      next 48 hours.  Failure to change your password will result in your account 
      being permanently locked out.
    

That's the bit that got me thinking, but more on the lines of "WTF?!" than
recognizing this as a phishing attempt.

~~~
biot
I figure most people might think if changing the password is optional, why
bother? That line provides timely motivation to do so immediately. On further
thought, I'd also remove the part which mentions supplying the current
password and just focus on the new password requirements. The form on the site
would naturally ask for their current password.

------
oasisbob
It's not comforting that they didn't take this seriously enough to pass it by
an editor before making the disclosure.

SPAM is a trademark of Hormel. A synonym for junk email is 'spam'. Whoever
wrote this doesn't even recognize the difference. Hell, the author turned
'junk mail' into a proper noun! ("SPAM, aka. Junk Mail ...")

Granted, the WP has a newsroom that is probably entirely separate from
whatever org runs their jobs site, but reputation is shared both ways. They're
an editorial power-house and should know better.

------
tptacek
Anyone know any details? From the description, this sounds like the kind of
thing where there's an INPUT TYPE=HIDDEN or a cookie with an integer userid,
and the attacker just rotated it and crawled profile pages. Sucks, but not the
end of the world.

~~~
2mur
I'd definitely like to know, since the WaPo guys use a lot of django. If (big
if, I don't acutally know) the jobs site was built on django, and if they
could figure out how it was compromised it would be beneficial for the wider
django community to know. I hope they share when the dust settles.

~~~
Harkins
I used to be one of the WaPo Django guys. Jobs was a separate team on entirely
different technology stack on different hardware, though probably in the same
data center. I know they happened to use Java (and probably still do) but have
no more info (nor did I want any - c'mon, Java).

------
qnm
I received one of these emails. What I don't understand is why - I've never
used the Washington Post jobs site. I live in Sydney...

~~~
ohashi
Yeah me too. I don't remember ever signing up for WaPo jobs. I've never used
it.

------
rcthompson
So, are these massive leaks of user information happening more and more often,
or are we just hearing about them more often?

------
tedsbardella
This is very interesting. I was wondering why I got spam through to my Gmail
account this weekend. This is the first time I can definitely see the

------
jmadsen
"How can I reduce or avoid SPAM?"

\- Do not sign up at sites with poor site security

~~~
pixdamix
That not a solution, you can't know if the site impement good security
measures.

Every site will be hacked (eventually). Just use _strong_ passphrase, maybe a
password generator like: SuperGenPass when you can, multiple emails, and you
should be (relatively) safe.

------
aresant
Clearly it's not this simple, but are spam honeypots a tool utilized by these
big boys as an insurance policy against these attacks?

EG - seed your DB w/known email addresses, see what junk hits them all, follow
the money?

------
chrisjsmith
Don't they run Django? Is there something we should know about?

~~~
bigsassy
No, they don't run Django for the entire site. Django is mostly used for one-
off apps, like:

[http://www.washingtonpost.com/wp-
srv/special/politics/electi...](http://www.washingtonpost.com/wp-
srv/special/politics/election-results-2010/exit-poll/)

or

<http://apps.washingtonpost.com/highschoolchallenge/>

