The Washington Post is notifying nearly 10,000 employees and contractors that personal and financial data was exposed after threat actors accessed parts of its network between July and August, the news organisation said. The Post has about 2.5 million digital subscribers.
Investigators found the unauthorized access occurred between July 10 and Aug. 22 after attackers exploited a then-zero-day vulnerability in Oracle E-Business Suite, an enterprise resource planning platform used for human resources, finance and supply chain functions. The hackers later attempted to extort the Post and other organisations they had breached in late September.
Oracle disclosed the security vulnerability while the Post was investigating the incident. The Post’s notification, which describes the letter, says Oracle announced it had identified a previously unknown and widespread flaw that permitted unauthorized actors to access many customers’ E-Business Suite applications.
Security researchers have linked the Clop ransomware group to attacks exploiting the flaw, which is now tracked as CVE-2025-61884. Other organisations reported to have been breached using the same vulnerability include Harvard University, American Airlines subsidiary Envoy Air and Hitachi unit GlobalLogic.
The Post concluded its investigation on Oct. 27 and said data belonging to 9,720 employees and contractors had been compromised, including full names, bank account and routing numbers, Social Security numbers, and tax and identification numbers. Impacted individuals were offered 12 months of identity protection through IDX and were advised to consider placing security freezes on credit files and setting up fraud alerts.
In June the Post disclosed that the email accounts of several journalists had been compromised in a separate cyberattack attributed to foreign state actors; the organisation said there is evidence of a connection between the two incidents.