An actor operating under the alias Lovely claims to have millions of Wired subscription details in their possession. According to the claim, this involves more than 2.3 million records. The hacker is threatening to publish tens of millions more records from other Condé Nast publications.
The dataset appeared on various hacker forums around December 20, where access was offered for a small fee, reports BleepingComputer. The actor presents the leak as a result of negligence at Condé Nast and claims that previously reported security issues were not addressed or were only addressed after a long time. Out of frustration, it was decided to make the data public.
In addition to Wired, data from other well-known publications within the Condé Nast portfolio is also said to have been stolen. The actor published numbers of records per title, which indicates broader access to internal systems. Condé Nast has not yet confirmed that there has been a security incident.
Analysis of the leaked data by external parties indicates that the file does indeed consist of real subscription data. A sample of records was found to match existing Wired accounts. In total, the dataset contains over 2.36 million entries with almost as many unique email addresses. The corresponding timestamps range from the 1990s to very recent dates, raising questions about the consistency of the metadata.
Most records consist of an internal identification number and an email address. In some cases, additional personal data is present, such as names, addresses, phone numbers, or dates of birth. Only a small number of records contain multiple pieces of this data combined, indicating highly variable completeness within the database.
Security researchers have further tested the authenticity of the leak by comparing the data with previously stolen login details from infostealer campaigns. Similarities were found, making it likely that this is not fabricated data. Based on this, the dataset has now been included in Have I Been Pwned, so that users can check whether their email address has been affected.
Hacker posed as a researcher
It is striking that the actor allegedly posed as a security researcher prior to the leak. Third parties were contacted for help in reporting vulnerabilities within Condé Nast’s infrastructure. Initially, only a limited amount of data was collected to demonstrate the severity of the problems. When no response was received, the decision was made to download the entire dataset and consider disclosure.
In retrospect, those involved concluded that this was not a case of responsible disclosure, but rather an actor who deliberately sought to publish stolen data. Condé Nast was asked for a response, but at the time of writing had not yet provided any substantive comment.