New York Times source code stolen using exposed Github token

605 Views

The recent data breach at The New York Times is a stark reminder of the persistent threats facing our digital infrastructure. In January 2024, the company’s GitHub repositories were compromised, leading to the leak of internal source code and data on the 4chan message board.

The leaked data, first spotted by VX-Underground, was distributed via a torrent containing a 273GB archive. An anonymous user shared a text file listing the 6,223 folders stolen, which included IT documentation, infrastructure tools, and source code. Notably, the source code for the popular Wordle game was allegedly among the stolen data.

A ‘readme’ file within the archive revealed that the breach was facilitated by an exposed GitHub token, allowing the threat actor to access and exfiltrate the data. This breach highlights the critical need for secure handling of sensitive information and the implementation of stringent access controls.

As cyber threats evolve, organisations must remain vigilant and proactive in protecting their assets. The New York Times’ experience serves as a cautionary tale, emphasizing that even prominent institutions are not immune to cyber-attacks. It is a call to action for all companies to reassess their security protocols and ensure that they are prepared to defend against such sophisticated threats.