Malware
New York Times Alerts Freelancers: Beware of the Massive GitHub Repo Data Breach!
The New York Times has warned freelancers of a potential data breach after the paper discovered one of its GitHub repositories was publicly accessible. The leaked information could include names, addresses, and social security numbers of freelance contributors. Affected individuals are advised to monitor their credit reports and be vigilant for identity theft.
Recently, The New York Times informed a number of contributors that some of their sensitive personal information was stolen and leaked. This occurred after the newspaper’s GitHub repositories were breached in January 2024. Fortunately, the breach did not affect the newspaper’s internal corporate systems or operations.
The information stolen during the incident includes first and last names, phone numbers, email addresses, mailing addresses, nationality, bio, website URLs, and social media usernames of affected individuals. In addition, the compromised repositories also contained information relevant to assignments, such as diving and drone certifications or access to specialized equipment.
The Times spokesperson confirmed that the data exposure did not extend to full-time newsroom staff or other contributors.
An Extensive Data Leak
It was reported that a 273GB torrent file containing The New York Times’ stolen data was leaked on the 4chan message board. According to the forum post, the leak includes “basically all source code belonging to The New York Times Company,” with around 5,000 repositories and 3.6 million files in total. Some of the stolen information includes IT documentation, infrastructure tools, and even source code for the popular Wordle game.
On June 6, 2024, a post on another site made the data publicly available. The Times confirmed this in data breach notification letters sent to affected contributors.
A ‘readme’ file in the archive revealed that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data.
Staying Safe After the Data Breach
For those affected by this data breach, The New York Times advises caution when dealing with unexpected emails, phone calls, or messages requesting personal information like usernames, passwords, and date of birth. This information could be used to gain access to accounts without permission.
Furthermore, the newspaper recommends ensuring that personal accounts, including email and social media accounts, have strong passwords and two-factor authentication enabled to block unauthorized access attempts.
As your trusted IT Services provider, we urge you to take cybersecurity seriously and take steps to protect your personal and business information. Stay vigilant and keep coming back to learn more about how to safeguard your digital assets.