New York Times’ GitHub Software Repositories, Possibly Including Wordle, End Up on 4Chan

New York Times’ GitHub Software Repositories, Possibly Including Wordle, End Up on 4Chan

bitdefender gravity zone business security

The New York Times has suffered a security incident that resulted in the unauthorized release of data from 5,000 of its source code repositories, likely including that of the popular game Wordle.

Source code and other critical information are usually the target of attackers deploying ransomware, but sometimes employee mismanagement of credentials is enough. Over the weekend, information that source code seemingly belonging to the New York Times, roughly 270GB worth of data, showed up on the 4chan forums.

The information was originally posted by vx-underground on X, revealing that around 5,000 repositories are part of the leaked data, with 30 of them encrypted.

An initial assessment of the files, according to Bleeping Computer, showed that they were composed of various internal software tools, IT documentation, and, more importantly, the source code for the incredibly popular Wordle game.

“The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available,” said The New York Times in a statement to Bleeping Computer. “The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

Whoever made the files available online also left comments in a readme file inside the archive that hint at the method used to breach the security. However, this information needs to be taken with a grain of salt. Apparently, someone got ahold of a GitHub access token, which is a significant security lapse. While the cloud hosting provider wasn’t initially named, The New York Times later admitted that was the case.

While the company said that the January breach didn’t affect its day-to-day operations, it remains to be seen if anything of consequence was caught in the data breach.