Image: © stas_malyarevsky/Stock.adobe.com
The paper confirmed to media that the breach by an unidentified threat actor took place in January and did not lead to unauthorised access to any of its systems.
The New York Times has become the latest victim of a breach after its internal source code and data were stolen through an exposed GitHub token and posted on 4chan.
First reported by VX-Underground on X, an educational website about malware and cybersecurity, the breach includes more than 270GB of the publication’s source code data, which was posted on messaging board 4chan.
According to VX-Underground, the unidentified criminal posted on 4chan that the New York Times has more than 5,000 source code repositories – less than 30 of which are “encrypted”.
A file containing the complete list of folders stolen from the paper’s GitHub repository indicates that the data includes not just source code but also IT documentation and infrastructure tools.
The New York Times confirmed to BleepingComputer that the GitHub breach occurred in January.
“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform [GitHub] was inadvertently made available. The issue was quickly identified, and we took appropriate measures in response at the time,” the company told the online publication.
It also said that there was “no indication” of unauthorised access to any of its systems or impact to its operations. “Our security measures include continuous monitoring for anomalous activity.”
The New York Times breach comes just days after a similar incident saw around 415MB of stolen internal documents from Disney’s Club Penguin game being posted on 4chan.
Sources told BleepingComputer that the Club Penguin leak was part of a wider breach of Disney’s Confluence server, where the unidentified threat actor stole 2.5GB of internal corporate data. It is not known whether this is the same actor behind the New York Times breach.
Ticketmaster customers got a scare last month when hackers claimed they had data for 560m accounts and put it up for sale on the dark web. Ticketmaster’s parent company LiveNation confirmed the breach in a filing with the US Securities and Exchange Commission, while a spokesperson told TechCrunch that its stolen database was hosted on Snowflake – a cloud storage company.
Since then, multiple breaches have been connected to Snowflake, which has more than 9,800 customers globally. The international bank Santander confirmed that it was the victim of a data breach, after a threat actor gained “unauthorised access to a Santander database hosted by a third-party provider”.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
