Jun 10, 2024 11:05:00

The New York Times' internal source code totaling approximately 270GB and 3.6 million files leaked

It has been discovered that internal source code of The New York Times, a daily newspaper published in the United States, was stolen from a GitHub repository and leaked onto the anonymous message board

4chan . The New York Times has acknowledged this fact and has taken appropriate measures.

New York Times source code stolen using exposed GitHub token
https://www.bleepingcomputer.com/news/security/new-york-times-source-code-stolen-using-exposed-github-token/

Today on 4chan someone leaked the source code (?) to the New York Times. They leaked 270GB of data

They wrote that the New York Times has 5,000+ source code repositories, with less than 30 being encrypted. It has 3,600,000 files in total.

Note: We haven't reviewed the data

— vx-underground (@vxunderground) June 6, 2024

According to a report from foreign media outlet BleepingComputer, someone on 4chan has leaked source code for The New York Times, with the leaker writing, 'I have 270GB of all source code belonging to the New York Times Company (the publisher of the paper). There are about 5,000 repositories, but I believe fewer than 30 of them are encrypted. That's a total of 3.6 million files.'

When BleepingComputer contacted The New York Times, the paper acknowledged that the source code in question was stolen from a GitHub repository in January 2024.

BleepingComputer points out that the names of the exposed folders suggest that various information, such as IT documents, infrastructure tools, and source code, was stolen. In addition, the folders contain a 'readme' file that states that the leaker used GitHub's public token to access the repository and steal the data.

The New York Times issued a statement saying, 'The events related to the posts in question occurred in January 2024 due to the accidental disclosure of credentials for a cloud-based third-party code platform. The issue was quickly identified and we immediately took appropriate measures. There is no indication of unauthorized access to any systems owned by us, and there has been no operational impact related to this incident. Our security procedures include continuous monitoring for anomalous activity.'

The New York Times data leak came the same week that 415MB of internal documents from the Disney game Club Penguin were leaked to 4chan. Sources told BleepingComputer that the Club Penguin leak was only part of the attack on Disney, with attackers already having stolen 2.5GB of internal company data. It is unclear whether the same people are responsible for the New York Times and Disney breaches.