New York Times investigating potential source code breach

The New York Times confirmed that it suffered a data breach leading to the leak of the publication's source code.

On June 6th, a post on the online forum 4chan alleged a massive data dump containing the Times' source code. Security researcher group vx-underground first reported on the potential breach on X, but noted they did not have a chance to examine the stolen data.

“Basically all source code belonging to The New York Times Company, 270GB. There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total,” the hacker wrote before signing it off, “With love from /aicg/.

While we did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository. Based on the folder names, it’s not just source code that was stolen. The hacker also exfiltrated IT documentation, infrastructure tools, email marketing campaigns, and ad reports.

How did it happen?

A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data. Interestingly, the breach occurred all the way back in January after credentials for a cloud-based third-party code platform (GitHub again) were exposed.

“There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity,” wrote responding to the news.

The Times leak is the second one published to 4chan this week. The first was a leak of 415MB of stolen internal documents for Disney's Club Penguin game. It was later revealed that the Club Penguin leak was part of a more significant attack on Disney, where the threat actors stole 2.5 GB of internal corporate data.

It is not known if it was the same person who conducted the New York Times and Disney breaches.