New York Times Source Code Compromised via Exposed GitHub Token

A 4chan user claims to have leaked 270GB of internal New York Times data, the information includes roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks.

This breach was facilitated through an exposed GitHub token, highlighting significant security vulnerabilities within the organization’s software repositories. The incident underscores the ongoing challenges even major institutions face in safeguarding their digital assets.

The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game.

The hacker, who has not been identified, posted a magnet link to the files on 4chan, encouraging users to download and share the data. 

The leak comes just two days after seemingly a threat actor, associated with the defunct online game Club Penguin, claimed to have breached Disney’s internal servers, also posting links to the handiwork on 4chan.

In a statement, The New York Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.

This series of incidents highlights the growing threat of cyberattacks on major corporations and the need for robust cybersecurity measures.

The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations.