Have I Been Pwned has added the information for 26,818,266 people whose data was leaked in a recent hack of The Post Millennial conservative news website.
The Post Millennial is a conservative Canadian online news magazine belonging to the Human Events Media Group, which also operates the American ‘Human Events’ news platform.
Earlier this month, both news platforms were hacked, with their sites’ front pages defaced with fake messages claiming to be written by The Post Millennial’s editor, Andy Ngo.
As part of the attacks, the threat actors claim to have stolen the company’s mailing lists, subscriber database, and details of the company’s writers and editors, sharing links to the stolen data shared on the defaced pages.
The data quickly spread online, being shared in torrents and hacking forums, allowing threat actors and others to download the data easily.
The exposed data includes the following types of information:
- Full Names
- Email addresses
- Usernames
- Account Passwords
- IP addresses
- Phone numbers
- Physical addresses
- Genders
This data allegedly belongs to writers, editors, and subscribers to the sites, which could create significant privacy and security risks to the exposed individuals.
Yesterday, Troy Hunt added the data to the Have I Been Pwned data breach notification service, noting that the data has not been confirmed to have been stolen directly from Human Events or The Post Millennial.
As the leaked data is for a considerable number of users, Hunt decided to add it to HIBP to alert those potentially exposed.
“The breach resulted in the defacement of the website and links posted to 3 different corpuses of data including hundreds of writers and editors (IP, physical address, and email exposed), tens of thousands of subscribers to the site (name, email, username, phone and plain text password exposed), and tens of millions of email addresses from several thousand mailing lists alleged to have been used by The Post Millennial (this has not been independently verified),” reads HIBP’s post.
“The mailing lists appear to be sourced from various campaigns not necessarily run by The Post Millennial and contain a variety of different personal attributes including name, phone and physical address (depending on the campaign).”
As tweeted by Troy Hunt, while the data was leaked as part of The Post Millennial defacement, it is unclear where it originated from.
By the time of writing this, The Post Millennial has not issued a public statement regarding the site’s defacement or to warn its subscribers that data may have been exposed.
BleepingComputer has contacted both The Post Millennial and Human Events for a comment but has not received a reply.
In the meantime, reset your passwords and monitor account activity closely if you are a subscriber to the mentioned news outlets. Also, treat all communications (email, call, SMS) with vigilance.