Fortunately, the full story isn’t as damaging as the headline. Despite the loss of over a million user IDs, the hackers never managed to breach account passwords or personal information. This indicates that the attack was either not entirely successful, or it was designed to acquire fuel for a spam campaign, as The Washington Post site requires a user ID be a valid email address.
Despite being upfront about the attack, the publication hasn’t released specific information about how the intruders gained access to the servers containing this information. It’s not unclear if this was due to negligence or a particularly determined attack, nor is it clear why the first intrusion was not detected and dealt with before the second.
While any hack is certainly not a wanted occurrence, the damage from this particular raid is far less than what was recently suffered by companies such as Sony, which saw a substantial breach of user data including user IDs, passwords and personal information.
In this instance there’s little chance that the users of the website will become victims of identity theft, although the emails could possibly be utilized in phishing attacks targeting the publication.