New York Times Source Code Stolen From Exposed GitHub Token

Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company’s GitHub repositories in January 2024, The Times confirmed to BleepingComputer.

As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data.

“Basically all source code belonging to The New York Times Company, 270GB,” reads the 4chan forum post. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”

In a statement to BleepingComputer, The Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.

“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at there time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity” – The New York Times

Mashable reported reported the controversial image board 4Chan is back in the news this week after two big data dumps were posted on the site.

Now, it appears that the New York Times Company is the largest establishment to have its data leaked on 4Chan over the past week. The data allegedly includes source code to its viral World game.

Mashable reported X user @vxunderground appears to be the first to notice that 270GB of internal data connected to the New York Times was posted online. The data contains the company’s internal source code and consists of more than 5,000+ source code repositories. The leak is made up of a total of roughly 3,600,000 files.

According to a text file shared by the hacker, 6,223 folders were stolen from the New York Times’ GitHub repository. This includes internal company IT documents and source code, which includes the popular word game that the Times acquired in 2022, Wordle.

The Register reported a 4chan user claims to have leaked 270GB of internal New York Times data, including source code and other web assets, via the notorious image board.

According to the unnamed netizen, the information includes, “basically all source code belonging to The New York Times Company,” amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files where shared by the poster on 4chan.

Of the files listed – whose names indicate everything from blueprints to Wordle to email marketing campaigns and ad reports — “less than 30” repositories are “encrypted,” the 4channer claimed. Again, take this with a healthy does of salt considering the source — an unnamed 4chan user.

In my opinion, stealing files and data from a large company’s GitHub is not a good idea. It is entirely possible that the New York Times may have already hired someone to find the hacker who did this.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.