The New York Times has verified a security breach involving its GitHub repositories, resulting in 270GB of data being posted on the 4chan forum. This incident, which took place in January 2024, led to the unauthorized disclosure of internal source code and other confidential files.
Scope of the Breach
This compromise affected over 5,000 source code repositories, with fewer than 30 files being encrypted, as indicated by the anonymous leaker. The published files contain IT documentation, infrastructure tools, and source code, including that of the popular game Wordle, that the Times acquired in 2022, names, email addresses and hashed passwords. The unauthorized access reportedly stemmed from an exposed GitHub token.
GitHub tokens are crucial elements in the management and security of GitHub repositories, storage spaces where code, project files, and version history are managed and collaborated on using the Git version control system. These tokens, often called personal access tokens (PATs), are used to authenticate and grant access to GitHub APIs and repositories without requiring a user’s password. They serve as a substitute for passwords and OAuth tokens to access the GitHub API, ensuring a secure and efficient way to manage permissions and automate workflows.
The breach came to light when X user @vxunderground identified that 270GB of internal data from the New York Times had been leaked online. Around 3.6 million files were reportedly included. Information from the hacker’s text file states that 6,223 folders were extracted from the Times’ GitHub repositories.
Today on 4chan someone leaked the source code (?) to the New York Times. They leaked 270GB of data
They wrote that the New York Times has 5,000+ source code repositories, with less than 30 being encrypted (?). It is 3,600,000 files in total
Note: We haven’t reviewed the data
— vx-underground (@vxunderground) June 6, 2024
Alex Ivanovs from StackDiary identified a database containing names and surnames, email addresses, hashed passwords, and internal communications from Slack channels.
The New York Times leak does include sensitive information – I was able to identify a database of ~1k users (email, name and surname, hashed passwords)
It’s going to be a rough weekend for them. https://t.co/FKVFbvUcr0#databreach #cybersecurity #infosec
— Alex Ivanovs (@stackdiary) June 7, 2024
Response and Clarification
Initially, reports suggested that the attackers obtained credentials for a cloud-based third-party code platform. The New York Times stated to BleepingComputer that its internal systems were not affected and that its operations remain unaffected and measures are being taken to secure the repositories and prevent further breaches.
The incident highlights the necessity of safeguarding GitHub tokens and other sensitive credentials to prevent exposure via regular security audits and stringent protection measures for sensitive information.
Last Updated on November 7, 2024 7:46 pm CET