Malware
Exclusive: New York Times Source Code Hacked – Cybercriminals Exploit Vulnerable GitHub Token
An exposed GitHub token led to hackers stealing the New York Times’ source code. The attackers exploited the misconfigured token to gain access to the newspaper’s private repositories, highlighting the importance of securing GitHub tokens and the risks of leaving sensitive information exposed online.
Imagine waking up one day, sipping your coffee, and scrolling through your social media feed only to find out that your company’s sensitive data and source code have been leaked on an online message board. That’s precisely what happened to The New York Times when its internal data was stolen from the company’s GitHub repositories in January 2024 and later leaked on the 4chan message board. And we, at IT Services, are here to tell you all about it.
What Exactly Was Stolen?
As first reported by VX-Underground, an anonymous user posted a torrent containing a whopping 273GB of stolen data from The New York Times Company. This data included “basically all source code,” with around 5,000 repositories and 3.6 million files in total.
From what we can tell, the data stolen spans a wide variety of information, including IT documentation, infrastructure tools, and even source code for the popular Wordle game. The fact that such a diverse range of information was taken highlights the need for robust cybersecurity measures.
How Did This Happen?
According to a ‘readme’ file in the stolen data archive, the threat actor responsible for this breach managed to access the company’s repositories using an exposed GitHub token. In a statement provided to us, The Times confirmed that the breach occurred in January 2024 after credentials for a cloud-based third-party code platform (which was later revealed to be GitHub) were exposed.
“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”
❖ The New York Times
It’s important to note that The Times stated that the breach of its GitHub account didn’t affect its internal corporate systems and had no impact on its operations, which is a small silver lining in this story.
Not the Only One
Interestingly, The Times’ leak wasn’t the only one that happened on 4chan that week. The first leak involved 415MB of stolen internal documents for Disney’s Club Penguin game. We were told by sources that this leak was part of a more significant breach of Disney’s Confluence server, where threat actors stole 2.5 GB of internal corporate data. At this time, it’s unclear if the same person conducted both the New York Times and Disney breaches.
What Can We Learn From This?
The breaches of The New York Times and Disney serve as stark reminders of the importance of robust cybersecurity measures. Companies, big and small, need to invest in their cybersecurity infrastructure and adopt best practices to protect their sensitive data and intellectual property. Remember, it only takes one weak link in the security chain for threat actors to exploit and gain unauthorized access.
If you’re looking for guidance on how to strengthen your cybersecurity defenses or simply want to learn more about the latest threats and trends, don’t hesitate to reach out to us. We’re always here to help you stay one step ahead of the hackers. Keep coming back to learn more!