The New York Times’ internal source code and data, comprising 273 GB of data with over 3.6 million files, were leaked on the 4chan message board in January 2024 after being stolen from the company’s GitHub repositories.
The leak was first spotted by VX-Underground, a cybersecurity research group, when an anonymous user posted a torrent link to a massive archive of around 270 GB containing the stolen data.
The 4chan forum post detailed the contents, mentioning, “Basically all source code belonging to The New York Times Company, 270 GB,” and highlighted the presence of around five thousand repositories, with less than 30 possibly being encrypted.
The threat actor provided a text file listing all 6,233 folders from The Times‘ GitHub repository. These folders encompassed a diverse range of information, including IT documentation, infrastructure tools, and potentially the source code for the popular Wordle game, noted Bleeping Computer.
In a ‘readme’ file within the archive, the threat actor claimed to have utilised an exposed GitHub token to gain unauthorised access to the company’s repositories and exfiltrate the data.
Responding to inquiries, The Times informed Bleeping Computer that the breach occurred in January 2024 due to exposed credentials for a cloud-based third-party code platform, later confirmed to be GitHub. The company clarified that while this breath affected GitHub, it did not compromise its internal corporate systems or disrupt its operations.
“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at that time. There is no indication of unauthorised access to Times-owned systems not impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity,” said NYT.
This incident marks the second high-profile leak on 4chan following a breach involving Disney’s Club Penguin game, which exposed 415 MB of internal documents. Sources claim that Club Penguin was part of a larger intrusion into Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data.
It remains unclear whether the same individual or group orchestrated both the NYT and Disney breaches.
In the News: Trojanised extensions in VSCode marketplace put millions at risk