New York Times source code leaks on 4chan, days after Disney leak


An anonymous hacker has posted an alleged leak of The New York Times source code, posting the grab Friday on the often controversial 4Chan message boards.

The leak comes just two days after a seemingly unrelated threat actor, associated with the defunct online game Club Penguin, claimed to have breached Disney’s internal servers and posted links to the handiwork on 4chan.

The Disney hacker was allegedly able to download a 2.5GB swath of sensitive corporate data, with some files dated as recently as June 1st, but more on that below.

ADVERTISEMENT

As for The New York Times (NYT), a breach post claiming the historic news organization was created on 4chan at about 9:30 p.m. Eastern daylight time on June 6th.

Hacker repository vx-underground first posted about the Times leak on X, noting that they did not have a chance to examine the alleged 270 GB of stolen data. “Today on 4chan someone leaked the source code (?) to the New York Times. They leaked 270GB of data,” vx-underground said.

The malware collectors went on to say that the hacker “wrote that the New York Times has 5,000+ source code repositories, with less than 30 being encrypted (?). It is 3,600,000 files in total.”

In the post, the anonymous NYT leaker provided a magnet link to the files, adding that the leaked collection was “uncompressed tar” files and to “Please seed, the seedboxes might not be enough.”

“Basically all source code belonging to The New York Times Company, 270GB. There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total,” they posted, signing the message “With love from /aicg/.

New York Times hacker post 4chan
4chan NYT leak post and sample of source code list of repositories. Image by Cybernews.
ADVERTISEMENT

Followers of VX-underground quickly jumped on the bandwagon to comment about the massive data cache, most joking about how the historic newspaper had such an exorbitant amount of repositories.

“Wait like the site http://nytimes.com? Or like the code they run to help them write/research articles, format print copies, and generally be a newspaper?” one X user posted.

“How does a simple newspaper have >5k repositories with 270GB of source code?!,” another X user questioned. “My thumb went numb just scrolling the list of repos,” posted yet another.

Club Penguin fans go after Disney

Vx-Underground also mentioned that it was the second leak of proprietary information posted on 4chan this week. “A few days Club Penguin files were stolen from Disney's internal network,” they said.

Originally launched in 2005, Club Penguin was a multiplayer online game franchise owned by the Walt Disney Disney that was shut down in 2017.

Over the years, more than 330,000,000 user accounts have been created in association with the game, which was played in over 190 countries, according to Fandom’s Club Penguin Wiki page. Remakes of the game have since resurfaced on private indie platforms, with one alternative site being shuttered in 2022 by Disney over copyright infringement following the arrest of people suspected of running the game.

“The Club Penguin kids growing up and hacking Disney to get revenge on Club Penguin getting shut down is an unexpected, but oddly logical, turn of events,“ one Reddit user commented about the June 3rd leak.

Labeling the post “Internal Club Penguin PDFs”, the self-proclaimed Club Penguin fan simply stated “I no longer need these :).” along with a link to the file dump.

Disney Club Penguin hacker post 4chan
ADVERTISEMENT

"It is 137 documents which include product planning, proof-of-concepts, internal e-mails, and some documents on other projects such as Tron," vx-underground said about the Club Penguin-related materials.

To illustrate Club Penguin's cult status among gamers, one user on 4Chan started their own thread asking “if the person who leaked Disney MMO internal files on /v/ last night still here? I'm really curious if there's any other stuff, specifically for Club Penguin,” they wrote.

“I wanna know if you have the rest of the character sheet document instead of just separate pages since it probably has more characters on it. Pic related is an older sheet one of the Club Penguin staff showed off before for a character that wasn't in the leaks. I genuinely would be interested in seeing that or concept art if you have and see this post,” they asked.

The hacker reportedly stole the 2.5GB of sensitive corporate information from Disney’s Confluence servers, a product of the Atlassian software company.

According to Bleeping Computer, who saw the documents, the Club Penguin PDFs represent only a small portion of the stolen data as the Club Penguin hackers apparently found more than they bargained for.

The threat actors dipped back into Disney servers to exfiltrate additional sensitive data, including "Disney's corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure."

A source told the media outlet that the servers were breached using previously exposed credentials.

Last month, two critical Atlassian vulnerabilities affecting Confluence were discovered (fix released), most likely leaving hundreds of thousands of Confluence Server instances exposed, mostly in the US, according to the Cybernews research team.

ADVERTISEMENT