WIRED 2.3 million subscribers allegedly leaked, hacker threatens 40 million more of Condé Nast portfolio
Learn More
A database allegedly containing personal information of over 2.3 million WIRED magazine subscribers was leaked on the newly revived BreachForums platform.
The data set was posted on December 26, 2025, by a forum moderator known as "Tanaka". The attacker, operating under the alias "Lovely," claims that this is a start of a much larger compromise targeting parent company Condé Nast. The attacker has threatened to release an additional 40 million records spanning the entire Condé Nast portfolio, including high-profile publications such as Vogue, The New Yorker, and Vanity Fair.
Cybersecurity firm Hudson Rock authenticated the legitimacy of the leaked WIRED data by cross-referencing it with logs from infostealer malware infections, including RedLine and Raccoon, confirming that the breach is both genuine and current, with the most recent entries dated September 8, 2025.
The attack apparently exploited multiple critical vulnerabilities in Condé Nast's centralized identity and subscription management platform. According to Hudson Rock's technical analysis, the threat actor used Insecure Direct Object References (IDOR) to scrape user profiles by systematically iterating through user ID parameters in the system.
It seems the vulnerabilities affected the shared infrastructure supporting multiple Condé Nast publications, explaining the threat actor's claim of access to 40 million records across dozens of brands. The compromised data includes:
- 2.3 million email addresses
- 285,936 full subscriber names
- 102,479 home addresses
- 32,426 phone numbers
- Dates of birth
- Gender information
- Geographic locations
- Account metadata including creation dates and last login timestamps
Many profiles contain blank fields for certain data points, a substantial portion includes complete personally identifiable information that poses risks for targeted attacks.
Independent verification of the breach came from WIRED subscribers who reported receiving alerts from digital footprint scanners and dark web monitoring tools as early as December 23, 2025. Despite these early warning signals and the public availability of the leaked data on multiple forums, Condé Nast has not issued any public statement, initiated mandatory password resets for affected users, or provided any notification to subscribers about the compromise of their personal information.
