Hackers broke into The Washington Post‘s servers over the past several days, gaining access to sensitive information like employee usernames and passwords, the newspaper said Wednesday.
The extent of the data loss was not immediately clear, but security firm Mandiant, which the newspaper contracts to monitor its networks, reported that the intrusion was of a “relatively short duration,” according to the Post.
“This is an ongoing investigation, but we believe it was a few days at most,” Post spokeswoman Kris Coratti said.
The Post article said all employees have been instructed to change passwords. Employee passwords are encrypted, but officials fear hackers may have the ability to decrypt them.
This security breach is the third major intrusion the company has suffered in as many years. The Post was targeted in late 2011 as part of a sweeping attack from Chinese hackers that included The New York Times, Associated Press, Bloomberg, and the Wall Street Journal.
The Washington Post was also victim to a less sophisticated attack in August that did not directly access its servers. The Syrian Electronic Army – which supports Syrian leader Bashar al-Assad in that country’s bloody civil war – hacked WashingtonPost.com and redirected some readers to its own website. The group is also suspected in an email phishing scheme that may have tricked employees into divulging their usernames and passwords.
Perpetrators of the latest hack have yet to be identified.