The Washington Post is notifying almost ten thousand employees and contractors that their personal and financial information was stolen during a cyberattack linked to a flaw in Oracle E-Business Suite software.
The newspaper, which has around two and a half million digital subscribers, confirmed that attackers accessed parts of its network between July 10 and August 22 by using a security weakness that no one knew about at the time.
The hackers took advantage of this previously unknown issue to steal sensitive information and later attempted to extort the Washington Post in late September. The same flaw has been used to break into several other well-known organizations, including Harvard University, Envoy Air, and GlobalLogic. The attackers are not named in the notification letter, but researchers have linked the activity to the Clop ransomware group. The vulnerability they exploited is now identified as CVE 2025 61884.
In its notice to affected workers, the Washington Post explained that Oracle revealed the vulnerability while the company was still investigating the incident. On September 29, a hacker contacted the newspaper claiming to have gained access to its systems. The Post immediately brought in security experts to look deeper into the issue. During the review, Oracle confirmed that the flaw could allow unauthorized access to many companies that used the same software.
The investigation, which ended on October 27, showed that the stolen data included full names, bank account information, routing numbers, Social Security numbers, and other identification or tax related details. In total, information belonging to nine thousand seven hundred twenty employees and contractors was exposed.
To help protect those affected, the Washington Post is offering one year of free identity protection through IDX. It is also advising people to consider placing a freeze on their credit and to set up fraud alerts to reduce the risk of financial harm.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
This cyberattack comes only a few months after another incident in June, when email accounts belonging to several Washington Post journalists were compromised by foreign state actors. While the two breaches happened close together, there is no clear evidence so far that they are connected.
