At a glance.
- Hackers compromise Washington Post email accounts.
- WestJet investigates cybersecurity incident.
- Google attributes last week's outage to API management bug.
Hackers compromise Washington Post email accounts.
A potentially state-sponsored attack compromised email accounts belonging to multiple journalists working for the Washington Post, according to the Wall Street Journal. The targeted reporters worked on the Post's national security and economic policy teams, including some who cover China. The Journal cites Washington Post employees as saying they "seldom put sensitive information into emails and instead prefer to use Slack for internal coordination and encrypted messaging services such as Signal to speak with sources."
The Post's Executive Editor Matt Murray said in an internal memo to employees, "Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists' accounts, and we have contacted those whose accounts have been impacted. We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers."
WestJet investigates cybersecurity incident.
Canadian airline WestJet is investigating a "cybersecurity incident" that disrupted its internal systems and the WestJet app, BleepingComputer reports. The incident began on June 13th. WestJet said in an update yesterday, "As we continue work to determine the extent and overall impact of the cybersecurity incident, some guests may temporarily encounter intermittent interruptions or errors while using the WestJet app and/or WestJet.com and we are working to resolve these issues. Our operations remain safe and stable and are not impacted by the situation."
Google attributes last week's outage to API management bug.
Google has attributed last week's major Google Cloud outage to an API management bug. The company explained in an incident report, "On May 29, 2025, a new feature was added to Service Control for additional quota policy checks. This code change and binary release went through our region-by-region rollout, but the code path that failed was never exercised during this rollout due to needing a policy change that would trigger the code. As a safety precaution, this code change came with a red-button to turn off that particular policy serving path. The issue with this change was that it did not have appropriate error handling nor was it feature flag protected. Without the appropriate error handling, the null pointer caused the binary to crash. Feature flags are used to gradually enable the feature region by region per project, starting with internal projects, to enable us to catch issues. If this had been flag protected, the issue would have been caught in staging.
Google continued, "On June 12, 2025 at ~10:45am PDT, a policy change was inserted into the regional Spanner tables that Service Control uses for policies. Given the global nature of quota management, this metadata was replicated globally within seconds. This policy data contained unintended blank fields. Service Control, then regionally exercised quota checks on policies in each regional datastore. This pulled in blank fields for this respective policy change and exercised the code path that hit the null pointer causing the binaries to go into a crash loop. This occurred globally given each regional deployment."
