The New York Occasions notified an undisclosed variety of contributors that a few of their delicate private info was stolen and leaked after its GitHub repositories had been breached in January 2024.
As The Occasions informed BleepingComputer final week, the attackers used uncovered credentials to hack into the newspaper’s GitHub repos. Nonetheless, the breach did not have an effect on the newspaper’s inside company techniques or operations.
The knowledge stolen throughout the incident contains first and final names, in addition to varied mixtures of affected people’ telephone numbers, e-mail addresses, mailing addresses, nationality, bio, web site URLs, and social media usernames.
As well as, the compromised repositories additionally included info related to assignments, corresponding to diving and drone certifications or entry to specialised tools.
“The New York Occasions not too long ago communicated to a few of our contributors concerning an incident that resulted within the publicity of a few of their private info,” a Occasions spokesperson informed BleepingComputer.
“We despatched this word to freelance visible contributors which have finished work for The Occasions in recent times. We don’t have indications the info publicity prolonged to full-time newsroom employees or different contributors.”
273GB of information stolen in GitHub repo hack
As BleepingComputer reported over the weekend, a 273GB torrent file containing The New York Occasions’ stolen knowledge was leaked on the 4chan message board on Thursday.
“Principally all supply code belonging to The New York Occasions Firm, 270GB,” the 4chan discussion board submit mentioned. “There are round 5 thousand repos (out of them lower than 30 are moreover encrypted I feel), 3.6 million information complete, uncompressed tar.”
“Round June 6, 2024, a submit on one other third-party website made this knowledge publicly accessible, together with a file that contained a few of your private info,” the Occasions confirmed in data breach notification letters despatched to affected contributors.
The folder names point out that all kinds of knowledge was stolen, together with IT documentation, infrastructure instruments, and supply code, allegedly together with the viral Wordle recreation.
A ‘readme’ file within the archive states that the risk actor used an uncovered GitHub token to entry the corporate’s repositories and steal the info.
The Occasions advises anybody affected by this data breach to be cautious of sudden emails, telephone calls, or messages requesting private info like usernames, passwords, and date of start which might be used to realize entry to their accounts with out permission.
The newspaper additionally warned them to ensure that their private accounts, together with e-mail and social media accounts, have robust passwords and two-factor authentication enabled to dam unauthorized entry makes an attempt.
