The New York Times Breach

NHI Mgmt Group

Overview

In June 2024, the New York Times (NYT), a media powerhouse known for its reporting excellence, became the subject of headlines for an entirely different reason: a significant cybersecurity breach. This breach occurred because of an exposed GitHub token, which led to the theft of 270GB of data, including internal source code. This data breach came to light in June 2024, when the stolen data was leaked on public platforms such as 4chan.

What Happened?

The Incident in Details

The incident started when a GitHub access token was accidentally made public, either because of improper credential storage or possibly because it was in a public repository. The attacker was able to access 5,000 repos and steal 270GB of data thanks to the token’s broad access permissions.

The stolen data included:

  • Source code of critical projects such as the codebase for Wordle, a popular word game acquired by NYT

  • WordPress database containing information of roughly 1,500 users, such as names, email addresses.

  • Authentication tokens, active API keys and secret keys, highlighting the risk of further exploitation.

What the NYT Did Right and Wrong?

Response and Transparency

The New York Times detected and acted upon the breach in January 2024, revoking the exposed credentials and launching an internal investigation. However, the public disclosure of the breach only came in June 2024, drawing attention to the delayed communication.

Post Incident Actions

The New York Times (NYT) declared that its core operational system remained unaffected and implemented security measures, including enhanced monitoring and access control mechanisms.

Lessons for Organizations

The NYT breach showed us how it is important to enforce strong security practices among the organizations to avoid any cyber threats. Here are some recommendations:

Effective Access Token Management

  • Use fine-grained access tokens with minimal permissions to ensure they are limited to specific scopes and repositories.

  • Regularly audit and revoke unused or overly permissive tokens.

Secrets Detection Tools

  • Use automated secrets detection tools to detect and prevent hardcoded secrets in code repositories.

Adopt the Least Privilege Principle

  • Grant employees and systems the minimum access necessary to perform their tasks.

Training and Awareness

  • Conduct regular training and awareness workshops for developers on secure code practices and effective secrets management.

Implement Real-Time Monitoring

  • Implement advanced monitoring solutions to monitor and detect unusual activities, such as bulk repository cloning or access from unrecognized IP addresses.

How Could NHI Mgmt Group Help?

Risk Assessment

We can identify and address operational, and security risks associated with NHIs, reducing the risk of breaches or compliance violations.

Consulting Services

We offer consulting services designed to empower organizations with tailored strategies for managing and securing Non-Human Identities (NHIs) in complex IT environments.

Conclusion

The New York Time breach can be a lesson for all organizations operating in the digital space. Not just for those in the media sector. In an era where sensitive data and intellectual property are being kept in cloud-based repositories, strong security measures are essential to keep these data safe.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024