USPS told employees in this week’s memo that it shifted LiteBlue to multi-factor authentication (MFA) on Jan. 15.
USPS will require employees logging into LiteBlue to reset their password, verify the last four digits of their Social Security Number, and set up their multifactor authentication preferences.
Once enabled, USPS will require employees to enter an MFA code prior to accessing their online accounts.
USPS said in a statement that it is “continuing to take precautionary measures to prevent further unauthorized activity.” The agency said it has notified affected employees, and is purchasing a one-year credit monitoring service for them.
USPS said that LiteBlue and PostalEASE, the self-service application reached through LiteBlue for employment-related services, have not been compromised.
According to USPS, its Office of Inspector General notified the Postal Inspection Service and USPS Corporate Information Security Office about “unusual log-in activity involving a limited number of employees’ accounts within the Postal Service’s PostalEASE system.”
“A limited number of employees have reported unusual account activity involving their PostalEASE accounts, which has been attributed to their prior interaction with the fake LiteBlue websites,” the agency said.
“Management has provided an update about the implementation of MFA to log into LiteBlue after cyber criminals gained access to sensitive employee data using fake websites that closely resembled LiteBlue,” APWU wrote. “The fraudsters used this information to make changes to net-to-bank and allotment accounts to divert and steal direct deposit funds.”
Fraudsters appear to have been targeting USPS employees for about least a month.
The National Association of Letter Carriers, in a Dec. 21 post on its website, said USPS had confirmed some employees unknowingly provided their usernames and passwords to criminal websites while attempting to access PostalEASE.
NALC said that approximately 119 USPS employees attempted to access PostalEASE through a Google search, instead of entering the web address directly into their browser.
“Google’s routers redirected their searches to third-party criminally run websites that mirror the look and access of PostalEASE. Unfortunately, their logon credentials were hacked, and some accounts were compromised,” NALC wrote.
NALC is asking its members whose credentials have been compromised to notify the union on its website, in order for NALC to report the scope of the problem to USPS.
“Specific banking industry standards require financial institutions to provide relief in certain situations. However, several third-party websites were criminal scams, and likely, some of the lost monies will not be returned. USPS does not have the total dollar loss currently available. USPS states liability for the hacking, bank account breaches and lost monies remains with Google,” NALC wrote.
An earlier USPS memo dated Dec. 30, 2022, also warned employees about a fraud scheme by cyber criminals using a fake version of the LiteBlue website.
“When you attempt to log in to a fake site, scammers collect your username and password. Scammers can record this information and use it to enter PostalEASE,” the memo states. “There, scammers may access your sensitive data, which they can manipulate for financial gain.”
USPS in the memo said its direct deposit Net to Bank and Allotment functionalities have been disabled online in the PostalEASE application.
The Dec. 30 memo also said USPS had temporarily suspended external access to PostalEASE via personal computer “until further notice.”
USPS employees during this period could still cancel allotments, or enable or change their direct deposit settings over the phone by calling the USPS Human Resources Shared Service Center (877-477-3273).
The agency said employees who make these changes over the phone need to have their employee identification number (EIN) and personal identification number (PIN).