The Washington Post’s jobs’ site was hacked last week, the company told users in an e-mail note sent last night (via Romenesko). While the paper says that no passwords were stolen, a third party was able to retrieve IDs and e-mail addresses.
If that’s in fact all that was taken — WaPo says that in addition to passwords, users’ resumes and contact info was not accessed and the hacking was shut down — then the company and its users probably dodged a bullet. But it’s just one more instance of how vulnerable these systems are and how risky it is to share any private information.
While this episode does remind older users of the security of relying on the print classifieds which were such great revenue drivers for newspapers in good times and bad, there’s no going back for jobseekers. But if if the WaPo gets hit a second hack, even one as relatively harmless as this one, it could undermine users’ and advertisers’ confidence, dealing a significant blow.
The full memo to WaPo jobs’ site users is below:
To Our Washington Post (NYSE: WPO) Jobs Customers,
I am writing to let you know that an unauthorized third party attacked our Jobs website last week. We quickly identified the attack and were able to shut it down. Although the hackers unfortunately gained access to certain user IDs and e-mail addresses used on our site, all passwords remain secure, and no other personal information (such as resumes or contact information) was impacted by this attack.
The hackers did not access any other parts of washingtonpost.com or Washington Post systems. We are taking this incident very seriously and are pursuing the matter with law enforcement.
We are contacting you because we place a premium on the privacy of our customers, and because we want to be as transparent as possible with you about issues with the Jobs site that may impact you. In this case, you should be aware that you may receive some unsolicited e-mail (spam) as a result of this incident. As a general matter, you should always avoid opening suspicious or unsolicited e-mail, never respond to or click any links in spam, and avoid providing personal or financial information in an e-mail – especially credit card information, bank account information, passwords, and ID numbers. We will never ask you for your password or such sensitive personal information over e-mail.
As a resource, we have posted an online Q&A with additional information about this incident and steps to protect yourself against spam. In addition, the National Cyber Security Alliance and the Federal Trade Commission offer helpful material about staying safe online and avoiding phishing and other spam-related problems.
We will continue to focus on ensuring the security of the information that you provide to us through use of the Jobs website. We sincerely apologize for this incident and appreciate your use of Washington Post Jobs. Should you have any questions, please visit our online Q&A or contact firstname.lastname@example.org.
Director of Digital Product Development