HomeWinBuzzer NewsNew York Times Confirms 270GB GitHub Token Data Breach

New York Times Confirms 270GB GitHub Token Data Breach

Information from the hacker's text file states that 6,223 folders were extracted from the Times’ GitHub repositories.

-

The New York Times has verified a involving its GitHub repositories, resulting in 270GB of data being posted on the 4chan forum. This incident, which took place in January 2024, led to the unauthorized disclosure of internal source code and other confidential files.

Scope of the Breach

This compromise affected over 5,000 source code repositories, with fewer than 30 files being encrypted, as indicated by the anonymous leaker. The published files contain IT documentation, infrastructure tools, and source code, including that of the popular game Wordle, that the Times acquired in 2022, names, email addresses and hashed passwords. The unauthorized access reportedly stemmed from an exposed GitHub token.

tokens are crucial elements in the management and security of GitHub repositories, storage spaces where code, project files, and version history are managed and collaborated on using the Git version control system. These tokens, often called personal access tokens (PATs), are used to authenticate and grant access to GitHub APIs and repositories without requiring a user's password. They serve as a substitute for passwords and OAuth tokens to access the GitHub API, ensuring a secure and efficient way to manage permissions and automate workflows.

The breach came to light when X user @vxunderground identified that 270GB of internal data from the New York Times had been leaked online. Around 3.6 million files were reportedly included. Information from the hacker's text file states that 6,223 folders were extracted from the Times' GitHub repositories.

Alex Ivanovs from StackDiary identified a database containing names and surnames, email addresses, hashed passwords, and internal communications from Slack channels.

Response and Clarification

Initially, reports suggested that the attackers obtained credentials for a cloud-based third-party code platform. The New York Times stated to BleepingComputer that its internal systems were not affected and that its operations remain unaffected and measures are being taken to secure the repositories and prevent further breaches.

The incident highlights the necessity of safeguarding GitHub tokens and other sensitive credentials to prevent exposure via regular security audits and stringent protection measures for sensitive information.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.