New York Times source code stolen using exposed GitHub token
Interior source code and information belonging to The New York Times modified into leaked on the 4chan message board after being stolen from the company’s GitHub repositories in January 2024, The Times confirmed to BleepingComputer.
As first considered by VX-Underground, the inside of information modified into leaked on Thursday by an nameless client who posted a torrent to a 273GB archive containing the stolen information.
“Frequently all source code belonging to The New York Times Company, 270GB,” reads the 4chan discussion board put up.
“There are round 5 thousand repos (out of them no longer up to 30 are additionally encrypted I like), 3.6 million information total, uncompressed tar.”
Supply: BleepingComputer
Whereas BleepingComputer didn’t get the archive, the threat actor shared a text file containing an whole list of the 6,223 folders stolen from the company’s GitHub repository.
The folder names present that an even replacement of information modified into stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle recreation.
A ‘readme’ file within the archive states that the threat actor aged an exposed GitHub token to win entry to the company’s repositories and steal the guidelines.
In a tell to BleepingComputer, The Times acknowledged the breach occurred in January 2024 after credentials for a cloud-basically based mostly third-occasion code platform had been exposed. A subsequent email confirmed this code platform modified into GitHub.
“The underlying match associated to the day prior to this’s posting occurred in January 2024 when a credential to a cloud-basically based mostly third-occasion code platform modified into inadvertently made on hand. The self-discipline modified into rapidly identified and we took appropriate measures in response at the time. There may be rarely one of these thing as a indication of unauthorized win entry to to Times-owned programs nor impact to our operations associated to this match. Our security features embody continuous monitoring for anomalous verbalize.”
❖ The New York Times
The corporate acknowledged that the breach of its GitHub yarn didn’t include an model on its inside of corporate programs and had no impact on its operations.
The Times leak is the second printed to 4chan this week, with the first being a leak of 415MB of stolen inside of documents for Disney’s Club Penguin recreation.
Sources exclusively told BleepingComputer that the Club Penguin leak modified into allotment of a extra indispensable breach of Disney’s Confluence server, the set the threat actors stole 2.5 GB of inside of corporate information.
It is miles rarely identified if it modified into the same particular individual that conducted the New York Times and Disney breaches.
