We study the security threats of power system operation brought by a class of data injection attacks upon load forecasting algorithms. In particular, with minimal assumptions on the knowledge and ability of the attacker, we design attack data on input features for load forecasting algorithms in a black-box approach. System operators can be oblivious of such wrong load forecasts, which lead to uneconomical or even insecure decisions in commitment and dispatch. This paper is the first attempt to bring up the security issues of load forecasting algorithms to our knowledge, and show that accurate load forecasting algorithm is not necessarily robust to malicious attacks. More severely, attackers are able to design targeted attacks on system operations strategically with additional topology information. We demonstrate the impact of load forecasting attacks on two IEEE test cases. We show our attack strategy is able to cause load shedding with high probability under various settings in the 14-bus test case, and also demonstrate system-wide threats in the 118-bus test case with limited local attacks.