The New York Times source code compromised via exposed GitHub token
June 08, 2024
The leakage of The New York Times source code and data on 4chan was a result of an exposed GitHub token theft that occurred in January 2024.
It was first noticed by VX-Underground this week that an anonymous user leaked the internal data of The New York Times on 4chan. The individual behind the leak disclosed a massive 270GB of data, alleging that the American publication possesses more than 5,000 source code repositories, with only a small fraction of them being encrypted.
BleepingComputer’s confirmation verified that the leaked internal source code and data of The New York Times on 4chan was indeed authentic.
The New York Times disclosed that the theft of the data and source code from their GitHub repositories took place back in January 2024.
The stolen files are believed to include IT documentation, infrastructure tools, and source code, notably the popular Wordle game.
The actor behind the breach admitted to exploiting an exposed GitHub token to gain access to the repositories, although initially, The New York Times claimed that the attackers had acquired credentials for a cloud-based third-party code platform. Subsequently, it was confirmed that the third-party platform in question was GitHub.
The New York Times emphasized that the security breach of their GitHub account did not compromise their internal systems and did not disrupt their operations.
Follow my updates on Twitter: @securityaffairs and on Facebook and Mastodon
(SecurityAffairs – hacking, The NY Times)
About Author
