In a significant cybersecurity incident, a 4chan user has leaked approximately 270GB of internal data from The New York Times, which purportedly includes vast amounts of source code and other web assets.
The anonymous user claimed that the leaked data encompasses nearly 5,000 repositories and around 3.6 million files, including blueprints for projects like Wordle, email marketing campaigns, and advertisement reports. Details for accessing the leaked data were shared via the notorious image board, allowing the files to be downloaded from peer-to-peer networks.
While The Register has reviewed a list of files from the alleged leak, it has not yet independently verified the authenticity of the data.
The New York Times did not initially respond to requests for comment. However, an update on June 10 confirmed the breach, revealing that an accidental credential leak led to the theft of their source code and other assets from a third-party code hosting platform in January 2024.
Official Statement: Accidental Credential Leak
A New York Times spokesperson disclosed, “Yesterday’s posting relates to an incident from January 2024, when someone inadvertently made a credential for a cloud-based third-party code platform available. We quickly identified the issue and took appropriate measures in response at the time. We have found no indications of unauthorized access to Times-owned systems or impacts on our operations related to this event.”
The files leaked contain a significant amount of JavaScript and TypeScript, and the file names indicate that fewer than 30 repositories have encryption. This exposure of personal information and proprietary code poses a substantial risk for The New York Times.
This incident echoes past cyber-attacks on media outlets, such as the 2013 attack by the Syrian Electronic Army and the 2016 breach by suspected Russian cyber-spies, which also targeted The New York Times and other American news organizations. The latter incident involved unauthorized access to email inboxes.
As The Register experienced a failed spear-phishing attack by the Syrian Electronic Army, the publication implemented mandatory multi-factor authentication to bolster its security measures.
The New York Times is currently investigating the scope of the data breach and working to mitigate any potential fallout from the leaked information. Further updates will be provided as more details emerge.