The New York Times notified an undisclosed number of contributors that some of their sensitive personal information was stolen and leaked after its GitHub repositories were breached in January 2024.
As The Times told BleepingComputer last week, the attackers used exposed credentials to hack into the newspaper’s GitHub repos. However, the breach didn’t affect the newspaper’s internal corporate systems or operations.
The information stolen during the incident includes first and last names, as well as various combinations of affected individuals’ phone numbers, email addresses, mailing addresses, nationality, bio, website URLs, and social media usernames.
In addition, the compromised repositories also included information relevant to assignments, such as diving and drone certifications or access to specialized equipment.
“The New York Times recently communicated to some of our contributors regarding an incident that resulted in the exposure of some of their personal information,” a Times spokesperson told BleepingComputer.
“We sent this note to freelance visual contributors that have done work for The Times in recent years. We don’t have indications the data exposure extended to full-time newsroom staff or other contributors.”
273GB of data stolen in GitHub repo hack
As BleepingComputer reported over the weekend, a 273GB torrent file containing The New York Times’ stolen data was leaked on the 4chan message board on Thursday.
“Basically all source code belonging to The New York Times Company, 270GB,” the 4chan forum post said. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”
“Around June 6, 2024, a post on another third-party site made this data publicly available, including a file that contained some of your personal information,” the Times confirmed in data breach notification letters sent to affected contributors.
The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game.
A ‘readme’ file in the archive states that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data.
The Times advises anyone affected by this data breach to be cautious of unexpected emails, phone calls, or messages requesting personal information like usernames, passwords, and date of birth which could be used to gain access to their accounts without permission.
The newspaper also warned them to make sure that their personal accounts, including email and social media accounts, have strong passwords and two-factor authentication enabled to block unauthorized access attempts.