New York Times Internal Data Nabbed From GitHub

Source: Michele D’Ottavio via Alamy Stock Photo

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.

The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including “basically all source code belonging to the New York Times Company.”

Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has verified part of the data as legitimate, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as “URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention.”

For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didn’t verify the granular details of the incident.

“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available," says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. "The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

Source-Code Leaks Have Wide-Ranging Implications

If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.

“The very nature of source code means that malicious actors could examine it for vulnerabilities to exploit in cyberattacks,” noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. “Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies.”

Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.

“What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code,” he said. “If they were in the network just to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made.”

Even if the data affected is less impacting than many fear, the incident is the latest, along with the recently revealed Ticketmaster breach, to showcase issues in securing third-party cloud assets.

This is a developing story.

About the Author(s)

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.