New York Times source code leaks online via 4chan

Updated A 4chan user has leaked 270GB of internal New York Times data, including what's said to be source code and other web assets, via the notorious image board.

According to the unnamed netizen, the information includes "basically all source code belonging to The New York Time Company," amounting to roughly 5,000 repositories and 3.6 million files now available for download from peer-to-peer networks. Details on how to get the files were shared by the poster on 4chan.

While The Register has seen what's said to be a list of files in the purported leak, we have not yet verified the legitimacy of the leak, and the newspaper did not respond to inquiries about the case. 

Of the files listed - whose names indicate everything from the blueprints to Wordle to email marketing campaigns and ad reports - "less than 30" repositories are "encrypted," the 4channer said.

The Register will update this story if and when we receive a response from The Times. But if true, the theft could potentially cause a huge headache for the newspaper, given the list of stolen data. There's a lot of JavaScript and TypeScript in there, judging by the filenames, plus some personal information.

In 2013 The New York Times and other media outlets saw their operations come under attack by a bunch of miscreants calling themselves the Syrian Electronic Army. During these incidents, which occurred over a period of months, readers were unable to visit some publications' websites at times; at other times, pages were defaced by intruders.

The Register was targeted, too, by the gang in a failed spear-phishing attack. At least one of our vultures was sent an email claiming to be from a senior editor, with a link to a fake copy of our publishing system to phish their credentials; the giveaway was that the message was far too cheery for that editor to be real. It also prompted us to introduce mandatory multi-factor authentication at work.

A few years later, in 2016, suspected Russian cyber-spies broke into email inboxes belonging to The New York Times and other American news organizations. ®

Updated to add on June 10

The New York Times has confirmed the theft, saying an accidentally leaked credential was used to snatch its source code and assets from a third-party code hosting platform.

"The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available," a spokesperson told The Register.

"The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event."

PS: Subhead was inspired by Lester's burning Burning Man man headline.