New York Times confirms data leak

273GB of 'source code belonging to The New York Times Company' appear on 4chan

New York Times confirms data leak

Image:
New York Times confirms data leak

A data leak containing internal information from The New York Times has emerged on the anonymous message board 4chan.

The leak, first discovered by VX-Underground, contains a massive 273GB archive with stolen data from the Times' GitHub repositories.

An anonymous user on Thursday uploaded a torrent file to 4chan, claiming it contained "basically all source code belonging to The New York Times Company."

"There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar," the post by 4chan user stated.

The threat actor also uploaded a text file containing a directory listing of the 6,223 compromised folders. A "readme" file within the archive suggested that the attacker exploited an exposed GitHub token to access repositories and steal data.

Additionally, the file/folder names indicate a vast array of sensitive data, including source code for the entire website, potentially including the popular Wordle game, email marketing campaigns, ad reports, and even some personal information.

The New York Times confirmed the breach to Bleeping Computer, stating that a credential for a "cloud-based third-party code platform" (later confirmed to be GitHub) was inadvertently exposed in January 2024.

The NYT says it addressed the issue quickly and there's "no indication of unauthorised access to Times-owned systems nor impact to our operations."

"Our security measures include continuous monitoring for anomalous activity," it added.

The leak could have serious consequences for the publication. Exploiting the leaked source code could allow attackers to find vulnerabilities in the website's infrastructure. Additionally, leaked marketing and advertising data could be used to gain an advantage over competitors.

The incident is not the first time the newspaper has faced cyberattacks.

In 2013, The New York Times and other media outlets were targeted by the Syrian Electronic Army, disrupting access to their websites.

Three years later, suspected Russian hackers breached email accounts belonging to The NYT and other American news organisations.

Data breach at Disney

The NYT data leak comes on the heels of another major data breach disclosed this week.

On 6th June, a user on 4chan claimed to have infiltrated Disney's Confluence servers, a collaboration platform used by businesses.

The hacker reportedly downloaded 2.5GB of data, initially believed to be solely related to Club Penguin, the popular online game shut down in 2017. However, further investigation revealed a more extensive breach.

According to Bleeping Computer, who reviewed the documents, the stolen data goes far beyond Club Penguin. Hackers seemingly stumbled upon a treasure trove of sensitive information, including "Disney's corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure."

The leak is believed to be due to exposed credentials for Disney's Confluence servers, developed by Atlassian.

Last month, two critical flaws in Atlassian's Confluence software (now patched) likely left hundreds of thousands of servers vulnerable, especially in the US.