New York Times source code stolen using exposed GitHub token
Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company's GitHub repositories in January 2024, The Times confirmed.
As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data.
"Basically, all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post.
"There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."
The threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository.
The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game.
A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data.
In a statement, The Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.
The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations.
The Times leak is the second one published to 4chan this week, with the first being a leak of 415MB of stolen internal documents for Disney's Club Penguin game.
Sources report that the Club Penguin leak was part of a more significant breach of Disney's Confluence server, where the threat actors stole 2.5 GB of internal corporate data.
It is not known if it was the same person who conducted the New York Times and Disney breaches.
Comments