New York Times source code compromised via exposed GitHub token

Pierluigi Paganini June 08, 2024

The source code and data of The New York Times leaked on the 4chan was stolen from the company’s GitHub repositories in January 2024.

This week, VX-Underground first noticed that the internal data of The New York Times was leaked on 4chan by an anonymous user. The mysterious user leaked 270GB of data and claimed that the American newspaper has over 5,000 source code repositories, with less than 30 being encrypted.

The New York Times confirmed to BleepingComputer that the internal source code and data belonging to the company leaked on the 4chan message board is legitimate.

The Times said the data and source code were stolen from the company’s GitHub repositories in January 2024.

According to BleepingComputer stolen files may include IT documentation, infrastructure tools, and source code, allegedly the Wordle game.

The threat actor wrote he had used an exposed GitHub token to access the repositories, but The Times initially said that the attackers obtained the credentials for a cloud-based third-party code platform. Later, the company confirmed that the third-party platform was GitHub.

The Times clarified that the security breach of its GitHub account did not affect its internal systems and had no impact on its operations.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, The NY Times)

you might also like

leave a comment