New York Times Internal Data Nabbed From GitHub

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the countrys paper of record has not yet confirmed the nature of the data accessed.

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.
The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including basically all
source code belonging to the New York Times Company
.
Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has
verified part of the data as legitimate
, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention.
For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didnt verify the granular details of the incident.
“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available, says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”
If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.
The very
nature of source code means that malicious actors
could examine it for vulnerabilities to exploit in cyberattacks, noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies.
Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.
What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code, he said. If they were in the network just to view the code, they could also tamper with the code to
introduce vulnerabilities or backdoors
to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made.
Even if the data affected is less impacting than many fear, the incident is the latest, along with the
recently revealed Ticketmaster breach
, to showcase
issues in securing third-party cloud assets
.
This is a developing story.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New York Times Internal Data Nabbed From GitHub