The New York Times recently experienced a significant security breach, with their source code and internal data being leaked onto the 4Chan imageboard. This breach occurred after the theft of the company’s data from their GITHUB-RARTS back in January 2024.
The data leak was first noticed by the VX-UNDERGROUND team, who identified a torrent with an archive of 273 GB containing stolen data that was published on an anonymous forum last Thursday, June 6th.
The forum message revealed that almost the entire source code of The New York Times, totaling 270 GB, had been leaked. The archive included approximately 5,000 repositories, with less than 30 of them additionally encrypted and 3.6 million files undetected. Attackers also provided a list of 6,223 folders stolen from the GITHUB repository.
The stolen data encompassed a wide range of information, including IT documentation, infrastructure tools, and source code, such as the popular Wordle game. The attackers claimed to have used an open GitHub-Token to access the company’s repositories and perpetrate the data theft.
The New York Times acknowledged that the leak originated in January 2024 when accounting data for a third-party cloud platform was mistakenly published, which was later identified as the GitHub platform.
This breach marks the second high-profile leak on 4chan this week, following the publication of 415 MB of internal documents from the game Club Penguin. It was revealed that the Club Penguin data leak was part of the Disney Confluence server breach, where attackers stole 2.5 GB of internal corporate data.
The motives behind these leaks and whether they are the work of a single individual remain unclear. The use of the 4Chan imageboard for posting the stolen data adds another layer of mystery to the situation.