The New York Instances notified an undisclosed variety of contributors that a few of their delicate private data was stolen and leaked after its GitHub repositories had been breached in January 2024.
As The Instances instructed BleepingComputer final week, the attackers used uncovered credentials to hack into the newspaper’s GitHub repos. Nonetheless, the breach did not have an effect on the newspaper’s inner company techniques or operations.
The knowledge stolen throughout the incident contains first and final names, in addition to numerous combos of affected people’ telephone numbers, electronic mail addresses, mailing addresses, nationality, bio, web site URLs, and social media usernames.
As well as, the compromised repositories additionally included data related to assignments, akin to diving and drone certifications or entry to specialised gear.
“The New York Instances just lately communicated to a few of our contributors relating to an incident that resulted within the publicity of a few of their private data,” a Instances spokesperson instructed BleepingComputer.
“We despatched this be aware to freelance visible contributors which have executed work for The Instances lately. We don’t have indications the info publicity prolonged to full-time newsroom workers or different contributors.”
273GB of information stolen in GitHub repo hack
As BleepingComputer reported over the weekend, a 273GB torrent file containing The New York Instances’ stolen knowledge was leaked on the 4chan message board on Thursday.
“Principally all supply code belonging to The New York Instances Firm, 270GB,” the 4chan discussion board submit stated. “There are round 5 thousand repos (out of them lower than 30 are moreover encrypted I feel), 3.6 million recordsdata whole, uncompressed tar.”
“Round June 6, 2024, a submit on one other third-party web site made this knowledge publicly out there, together with a file that contained a few of your private data,” the Instances confirmed in knowledge breach notification letters despatched to affected contributors.
The folder names point out that all kinds of data was stolen, together with IT documentation, infrastructure instruments, and supply code, allegedly together with the viral Wordle recreation.
A ‘readme’ file within the archive states that the risk actor used an uncovered GitHub token to entry the corporate’s repositories and steal the info.
The Instances advises anybody affected by this knowledge breach to be cautious of sudden emails, telephone calls, or messages requesting private data like usernames, passwords, and date of delivery which might be used to achieve entry to their accounts with out permission.
The newspaper additionally warned them to make it possible for their private accounts, together with electronic mail and social media accounts, have robust passwords and two-factor authentication enabled to dam unauthorized entry makes an attempt.
