Hackers have leaked a database containing over 2.3 million WIRED subscriber records, marking a major breach at Condé Nast, the parent company.
The threat actor “Lovely” claims this is just the start, promising to release up to 40 million more records from brands like Vogue and The New Yorker.
The data dump, posted on hacking forums like Breach Stars and BreachForums around Christmas Day 2025, includes 2.3 million email addresses, 285,936 names, 102,479 home addresses, and 32,426 phone numbers.
Records feature JSON-formatted profiles with fields like user IDs, creation dates from 2011 to 2022, and recent activity up to September 8, 2025. Screenshots from the leak show extensive file lists and redacted subscriber details across Condé Nast sites.
Hudson Rock researchers verified the WIRED data’s legitimacy by cross-referencing it with RedLine and Raccoon infostealer logs, confirming high-overlap compromised credentials.
The firm warns of a looming 40-million-line breach targeting Condé Nast’s shared identity system, which spans publications including Vanity Fair, GQ, and Architectural Digest. No passwords or payment info appeared in the initial dump, but PII exposure raises risks for phishing, doxing, and swatting.
Attackers exploited Insecure Direct Object References (IDOR) to scrape profiles by iterating through user IDs, resulting in large JSON exports.
Broken access controls on account endpoints enabled unauthenticated access to and modification of emails, passwords, and profiles. These flaws in the centralized platform enabled bulk exfiltration without full authentication.
| Data Type | Count |
|---|---|
| Emails | 2,300,000 |
| Names | 285,936 |
| Addresses | 102,479 |
| Phone Numbers | 32,426 |
In November 2025, “Lovely” posed as a researcher, “Dissent Doe,” and contacted DataBreaches.net to help notify Condé Nast of six vulnerabilities.
Despite repeated outreach, including via WIRED reporters and security teams, Condé Nast offered no public response or security.txt file. Frustrated, Lovely leaked the WIRED data as a “Christmas Lump of Coal,” accusing the firm of ignoring users.
Affected subscribers report hits on dark web monitors like Have I Been Pwned, which added the breach. Condé Nast’s silence amplifies risks, as shared logins could cascade across brands. Experts urge password resets and monitoring, highlighting the need for better vulnerability disclosure in media giants.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
