An anonymous threat actor has posted what they claim to be 270GB of source code stolen from the New York Times on a popular imageboard website.
Seen by Infosecurity, the Friday post claimed that the leak contains “basically all source code” from the publisher.
“There are around five thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar. Please seed, the seedboxes might not be enough,” the post read.
The alleged leak was first spotted by security researchers vx-underground.
“This is the second time this week proprietary information has been leaked onto 4chan,” they noted in a post on X (formerly Twitter). “A few days [ago] Club Penguin files were stolen from Disney’s internal network and leaked onto 4chan.”
Today on 4chan someone leaked the source code (?) to the New York Times. They leaked 270GB of data
— vx-underground (@vxunderground) June 6, 2024
They wrote that the New York Times has 5,000 source code repositories, with less than 30 being encrypted (?). It is 3,600,000 files in total
Note: We haven't reviewed the data
There’s no current indication that both attacks were carried out by the same actor. It’s also unclear whether their claims are accurate or not. Vx-underground said it hadn’t yet reviewed the leaked data.
Read more on source code leaks: Intel Confirms Source Code Leak
It’s believed that the actor targeted the New York Times’ GitHub account.
A statement from the publisher clarified that a security incident occurred in January of this year, when a credential to a “cloud-based third-party code platform” was “inadvertently made available.”
The firm said it quickly spotted the suspicious activity and remediated the incident.
“There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event,” it added. “Our security measures include continuous monitoring for anomalous activity.”
It’s unclear what the threat actor’s motivation for stealing and leaking the source code was. One outlet claimed to have found a database of 1500 users from an NYT education site in the leaked trove. It apparently contained full names, email addresses and hashed passwords.
Also in there are internal communications from Slack channels, secrets including private user keys, and software development details regarding the publisher’s internal IT architecture.
Image credit: Claudio Divizia / Shutterstock.com