Info Data Leak

New York Times’ Source Code Hacked through Exposed GitHub Token

SecurityAffairs

Threat Actor: Anonymous user | Anonymous user
Victim: The New York Times | The New York Times
Price: N/A
Exfiltrated Data Type: Internal source code and data

Additional Information :

  • The New York Times’ internal data was leaked on 4chan by an anonymous user.
  • The leaked data includes 270GB of information and over 5,000 source code repositories, with less than 30 being encrypted.
  • The New York Times confirmed the legitimacy of the leaked data.
  • The data and source code were stolen from the company’s GitHub repositories in January 2024.
  • The stolen files may include IT documentation, infrastructure tools, and source code, including the Wordle game.
  • The threat actor claimed to have used an exposed GitHub token to access the repositories.
  • The Times initially stated that the attackers obtained credentials for a cloud-based third-party code platform, but later confirmed it was GitHub.
  • The security breach did not affect The New York Times’ internal systems or operations.

This week, VX-Underground first noticed that the internal data of The New York Times was leaked on 4chan by an anonymous user. The mysterious user leaked 270GB of data and claimed that the American newspaper has over 5,000 source code repositories, with less than 30 being encrypted.

The New York Times confirmed to BleepingComputer that the internal source code and data belonging to the company leaked on the 4chan message board is legitimate.

The Times said the data and source code were stolen from the company’s GitHub repositories in January 2024.

According to BleepingComputer stolen files may include IT documentation, infrastructure tools, and source code, allegedly the Wordle game.

The threat actor wrote he had used an exposed GitHub token to access the repositories, but The Times initially said that the attackers obtained the credentials for a cloud-based third-party code platform. Later, the company confirmed that the third-party platform was GitHub.

The Times clarified that the security breach of its GitHub account did not affect its internal systems and had no impact on its operations.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, The NY Times)

Original Source: https://securityaffairs.com/164280/data-breach/new-york-times-source-code-leaked.html

Tags: CLOUD, BREACH, IMPACT