Source code and freelancer data of New York Times stolen using unsecured GitHub token
Learn More
The New York Times has been hit with theft of internal source code and data, which was subsequently leaked on the 4chan message board.
The stolen data includes around 5,000 repositories of IT documentation, infrastructure tools, source code (including the viral Wordle game) and email marketing campaigns. In total approximately 273GB of data or 3.6 million files were leaked. The breach was executed using an exposed GitHub token that provided access to The New York Times’ repositories. The token credentials for a cloud-based third-party code platform were inadvertently exposed, leading to unauthorized access.
The breach occurred in January 2024 and was facilitated through an exposed GitHub token, as confirmed by The Times..
The number of affected individuals is not specified. However, The Times claims that there was no unauthorized access to its internal corporate systems and no impact on its operations. The breach was confined to their GitHub repositories.
Update - As of 13th of June 2024, the New York Times has alerted its freelance contributors that the data breach involving its GitHub repositories exposed personal data.
The compromised data includes a range of personal information, such as:
- First and last names
- Phone numbers
- Email addresses
- Mailing addresses
- Nationality
- Biographical details
- Website URLs
- Social media usernames
- Information relevant to assignments (e.g., diving and drone certifications, access to specialized equipment)
The Times has advised the affected individuals to be vigilant against unsolicited emails, phone calls, or messages seeking personal information. They are also urged to ensure that their personal accounts have robust passwords and two-factor authentication to prevent unauthorized access.
