Data Breach of AP Stylebook Leads to Phishing Attacks

Users of the AP Stylebook have been targeted in phishing campaigns by bad actors using personal information stolen in a data breach in July.

According to the Associated Press, cybercriminals between July 16 and 22 hacked into the database of an old AP Stylebook website that was no longer being used but was still available online and being maintained by, a third-party company that manages style guides used by businesses and journalists.

The active AP Stylebook was not affected, the news service said. The AP’s stylebook is used by writers, editors, and news organizations around the world as a writing style and usage guide touching on such areas as grammar and punctuation.

Stylebooks notified the AP of the breach July 20. According to a September 1 notice the AP sent to customers whose data was compromised, the hackers gained access to a range of personal information, including names, email and street addresses, victims’ city, state, zip code, and phone numbers, and user ID.

In addition, they also gained access to users’ Social Security numbers to Taxpayer ID numbers, depending on the information the customer submitted.

In all, the information of 224 journalists and other customers were exposed in the breach, according to a notice filed with the state of Maine.

Then Came the Phishing Emails

According to the news service, some customers of the AP Stylebook were hit with phishing emails that directed them to a fake website impersonating the AP Stylebook, asking them to update their credit card information.

After being notified by of the breach, the AP started working with a cyber-forensics company to investigate and mitigate the incident. The old AP Stylebook was taken offline on July 23 and four days later, the spoofed Stylebooks website also was taken down.

The news service said there was no identity theft or fraud resulting from the data breach. Customers of both the old and current stylebooks were notified and were told to change their passwords before they could access the active Stylebook website.

The AP did not detail how the hackers were able to compromise the old Stylebook site.

The organization is offering users whose information was stolen 24 months of free Experian’s service, which includes credit monitoring and identity restoration services, and outlined steps they can take to activate their membership with the credit services provider. They have until December 30 to sign up.

Media Companies Become Targets

The AP is only the latest news organization that has been the target of cyberattack. The Philadelphia Inquirer in May was hit by a ransomware attack that interrupted the publication of a Sunday edition of the newspaper. The Cuba ransomware group later took credit for the attack and published some of the data on its extortion leak site.

The Guardian newspaper in late December 2022 also was hit by a ransomware attack in which personal data – including employee names, addresses, UK national insurance numbers, government identity documents, and salaries – were stolen. Earlier last year, News Corp, which publishes the Wall Street Journal and New York Post – sustained a data breach by threat actors that spent at least two years inside the media giant’s systems, getting access to such information as employee names, Social Security and driver’s license numbers, and financial account, medical, and health insurance data.

Cybersecurity researchers over the past couple of years have tracked a rise in attacks against media organizations. In a report in 2021, Atos analysts noted that the media and entertainment industry help form public opinion and a national view of events in the world, which makes them attack targets for not only cyberthreat groups but also nation-states and hacktivist that want more visibility for their messages.

“Media houses command a significant soft power to retain and spread their influence by advocating their agenda, gathering public opinion and shaping it,” the Atos researchers wrote. “They also maintain tons of raw reporting and information acquired from lesser-known sources.”

Nation-state actors in particular “may try to exfiltrate or destruct such content to expose or discourage certain publications or merely to evaluate what the organization knows about the issue and identify its sources.”

Cybersecurity firm BlueVoyant wrote in a report last year that the combination of vulnerabilities in their public-facing operations and a complex supply chain made media companies susceptible to attacks.

“Today’s interconnected and overlapping virtual ecosystems creates challenges for the secure production, distribution, and management of media,” the company wrote. “From concept to camera and from camera to consumer, media companies are dependent on vendors, service providers, partners, and technologies. The third-party ecosystem is particularly fragmented in the media industry and its dependence on a large number of vendors, varied in size and cyber exposure, adds to the complexity of managing risk.”

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 333 posts and counting.See all posts by jeffrey-burt