The New York Times has confirmed that its GitHub repository was breached in January, after a 4Chan user claimed to have stolen 'basically all source code belonging to The New York Times Company'.
Around 273GB of data is believed to have been accessed in the incident, with exposed data believed to include IT documentation, infrastructure tools, email marketing campaigns, ad reports and source code - including the popular Wordle game, acquired by the company in 2022.
"There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar," the anonymous user wrote on 4Chan.
Around 5,000 repositories and 3.6 million files are now available for download from peer-to-peer networks.
The NYT said the issue was quickly identified and that it has taken 'appropriate measures', including continuous monitoring for anomalous activity. The publication added that there's no indication of unauthorized access to Times-owned systems, and that the breach has had no impact to its operations.
However, according to industry experts, there could be significant repercussions.
Thomas Richards, principal consultant at the Synopsys Software Integrity Group, said access to the source code could allow the attackers to look for vulnerabilities that could exist in the NYT's applications and find ways to exploit them.
"Some of these vulnerabilities may be difficult to detect through penetration testing or attacking the applications with zero knowledge. What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code," he said.
"If they were in the network to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with, or that unauthorized changes were made."
The risk might not be too great if the code was developed using security scanning technologies such as SAST, SCA, and DAST and vulnerabilities were resolved, according to Boris Cipot, senior security engineer at the Synopsys Software Integrity Group.
"However, if these measures are missing or poorly implemented, the issue becomes significant. Disrupting the New York Times applications by finding vulnerabilities in the code is a minor concern," he said.
"The larger threat is the potential for miscommunication or altering the text on the pages if a vulnerability allows such an attack."
However, Javvad Malik, lead security awareness advocate at KnowBe4, pointed out that hackers aren't necessarily 100% reliable, and it's important not to jump to conclusions.
"As with any claim made on platforms like 4chan, skepticism is a must. The anonymity and notoriety of such platforms mean that misinformation can spread as rapidly as legitimate leaks," he says.
"Until there is confirmation and a detailed analysis of the leaked data, we must tread carefully, neither underestimating the potential impact nor jumping to conclusions."
