The New York Instances notified an undisclosed variety of contributors that a few of their delicate private data was stolen and leaked after its GitHub repositories have been breached in January 2024.
As The Instances advised BleepingComputer final week, the attackers used uncovered credentials to hack into the newspaper’s GitHub repos. Nonetheless, the breach did not have an effect on the newspaper’s inside company techniques or operations.
The data stolen throughout the incident contains first and final names, in addition to numerous combos of affected people’ telephone numbers, e mail addresses, mailing addresses, nationality, bio, web site URLs, and social media usernames.
As well as, the compromised repositories additionally included data related to assignments, equivalent to diving and drone certifications or entry to specialised gear.
“The New York Times recently communicated to some of our contributors regarding an incident that resulted in the exposure of some of their personal information,” a Instances spokesperson advised BleepingComputer.
“We sent this note to freelance visual contributors that have done work for The Times in recent years. We don’t have indications the data exposure extended to full-time newsroom staff or other contributors.”
273GB of knowledge stolen in GitHub repo hack
As BleepingComputer reported over the weekend, a 273GB torrent file containing The New York Instances’ stolen information was leaked on the 4chan message board on Thursday.
“Basically all source code belonging to The New York Times Company, 270GB,” the 4chan discussion board submit mentioned. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”
“Around June 6, 2024, a post on another third-party site made this data publicly available, including a file that contained some of your personal information,” the Instances confirmed in information breach notification letters despatched to affected contributors.
The folder names point out that all kinds of knowledge was stolen, together with IT documentation, infrastructure instruments, and supply code, allegedly together with the viral Wordle recreation.
A ‘readme’ file within the archive states that the risk actor used an uncovered GitHub token to entry the corporate’s repositories and steal the information.
The Instances advises anybody affected by this information breach to be cautious of surprising emails, telephone calls, or messages requesting private data like usernames, passwords, and date of beginning which may very well be used to realize entry to their accounts with out permission.
The newspaper additionally warned them to make it possible for their private accounts, together with e mail and social media accounts, have robust passwords and two-factor authentication enabled to dam unauthorized entry makes an attempt.
