Internal source code from The New York Times (NYT) has been leaked online following a breach on the newspaper’s GitHub repository.
Links to a torrent purportedly carrying a 273GB archive of source code from the NYT were posted on notorious internet message board 4chan last week.
A post publicising the leak states that the dump comes from around 5 thousand repos (only 30 of which were encrypted) and 3.6 million files.
The claims were picked up by malware researchers VX-Underground, and first reported by Bleeping Computer.
A text file with a list of 6,223 folders associated with the leak suggests that it contains infrastructure tools, source code (including software from the popular Wordle game) and IT documentation.
“A ‘readme’ file in the archive states that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data,” Bleeping Computer reports.
‘No impact on operations’
In response to queries from CSOonline.com, the NYT offered a statement confirming the breach while downplaying its significance.
“The underlying event related to last week’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available,” according to the NYT. “The issue was quickly identified and we took appropriate measures in response at the time.”
The NYT added: “There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”
A spokesperson for the NYT confirmed that the third-party code platform involved in the breach was GitHub.
GitHub has become an integral part of the software development process at many organisations.
The abuse of stolen tokens to gain access to carry out GitHub intrusions, both targeted and opportunistic, is a well known security threat.
Secondary threats
The exposure of source code held in repositories like this could reveal vulnerabilities that attackers can exploit to launch further attacks, security experts warned.
“As well as the potential for risk to individuals through exposed PII [personally identifiable information], the leak also increases the risk to the NYT of further targeted intrusions through the exposure of vulnerabilities in the website’s infrastructure,” Rik Ferguson, VP of security intelligence at security vendor Forescout, told CSOonline.com.
“These vulnerabilities could then be further leveraged in various ways, for example to distribute malware, to effect further intrusions into NYT corporate infrastructure, or for denial-of-service attacks.”
Yakir Kadkoda, lead security researcher at Aqua Security, warned that “from this large amount of data, attackers can extract tokens and sensitive information, identify vulnerabilities by examining the code, and discover internal and external domain names and IP addresses.”
“In this case, they are fortunate to know about the breach and can prepare by rotating tokens and other credentials. Other companies should implement measures such as canary tokens in their internal source code,” Kadkoda added.
When a malicious actor tries to use a so-called canary token, the company can detect the breach and immediately start the incident response process.
There’s also the risk that attackers might do more than copy the code held in the repository.
Thomas Richards, principal consultant at the Synopsis Software Integrity Group, said, “The NYTimes should do a thorough review of all their source code to make sure it was not tampered with, or that unauthorised changes were made.”
The best defences against attacks against cloud-based software repositories involve a combination of technology and policy, said Michael Robert, a cybersecurity specialist at GTA Boom.
Countermeasures
Failure to rotate credentials can increase the risk of unauthorised access to software repositories in much the same way that bad password security practices leak website accounts at risk of attack.
“Tools like 2FA, token rotation policies, and least-privilege access help,” Robert said. “But equally important is ensuring departing employees are removed from all systems promptly via well-practiced checklists.”
Logging and better monitoring is needed in order to stay ahead of threats against corporate code repositories, according to Forescout’s Ferguson. He advised that “companies should be actively monitoring their logs from large data aggregations like GitHub. Mass clones of repositories that do not fit normal patterns should be glaringly obvious to spot and stop.”