The stolen and leaked source code of The New York Times on 4chan.

In a significant security incident, the internal source code and other data of the New York Times were leaked on the 4chan forum. This incident occurred after a data theft from the company’s GitHub repositories in January 2024, as confirmed by the New York Times.

Last Thursday, an anonymous user posted a torrent on 4chan with a 273GB file containing the stolen data. This leak was initially detected by VX-Underground. “Basically all the source code belonging to The New York Times Company, 270GB,” the post on 4chan read.

According to the post on the forum, the file contains around 5,000 repositories and a total of 3.6 million files, with less than 30 repositories additionally encrypted. The uncompressed file was published in tar format.

Details of the Theft and Leak

The threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company’s GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, presumably including that of the viral game Wordle.

A ‘readme’ file in the leaked file indicates that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data.

In a statement, the New York Times confirmed that the breach occurred in January 2024 after credentials for a third-party cloud code platform were exposed. A subsequent email confirmed that this code platform was GitHub.

“The underlying event related to yesterday’s publication occurred in January 2024 when a credential for a third-party cloud code platform was inadvertently made available. The issue was quickly identified, and we took appropriate action in response at that time. There is no indication of unauthorized access to Times-owned systems or impact on our operations related to this event. Our security measures include continuous monitoring to detect abnormal activity,” stated the New York Times.

The company added that the breach in their GitHub account did not affect their internal corporate systems or have any impact on their operations.

Context and Repercussions

This incident highlights the growing vulnerability of large companies to cyberattacks targeting their software development platforms. Code repositories, such as those found on GitHub, are attractive targets for cybercriminals due to the valuable information they can contain, including proprietary source code, internal documentation, and infrastructure tools.

The New York Times leak is the second one published on 4chan this week, with the first being a leak of 415MB of internal documents stolen from Disney’s Club Penguin game. Sources reported that the Club Penguin leak was part of a larger breach on Disney’s Confluence server, where threat actors stole 2.5GB of internal corporate data.

It is unknown if the same person carried out the breaches at the New York Times and Disney.

Implications for Cybersecurity

Incidents like these underscore the importance of security in software development platforms. Exposed credentials can lead to massive data leaks that not only compromise a company’s intellectual property but also sensitive information and internal operations.

Companies should take proactive measures to protect their code repositories, including implementing multi-factor authentication (MFA), regularly rotating credentials, and continuously monitoring for abnormal activity. Additionally, employee training and awareness of security best practices can help prevent security incidents.

In summary, the theft and leak of the New York Times’ source code serves as a stark reminder of the cyber risks organizations face today and the need to strengthen security defenses at all levels.

Scroll to Top