The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack.
The news organization is one of the largest daily newspapers in the U.S. with approximately 2.5 million digital subscribers.
Between July 10 and August 22, threat actors accessed parts of its network. They leveraged a vulnerability in Oracle E-Business Suite software that was a zero-day at the time to steal sensitive data.
In late September, the hackers tried to extort the Washington Post, along with other major companies they had breached the same way.
The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software that the Washington Post used internally, stole data, and then attempted to extort the firm in late September.
Oracle E-Business Suite is a widely used enterprise resource planning (ERP) platform with HR, finance, and supply chain functions that large organizations use internally.
According to the Washington Post's notification to impacted individuals, Oracle disclosed the security vulnerability while the news organization was investigating the breach incident.
“On September 29, 2025, the Post was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications,” describes the letter.
“In response, the Post launched a thorough investigation of its Oracle application environment with the assistance of experts to determine if the environment had been accessed without authorization.”
... continue reading