Data leak at Italian newspaper exposes readers

A decades-old newspaper has accidentally exposed its readers, leaving an unprotected database with millions of logs without a password.

Il Manifesto, Italy’s iconic leftist newspaper, has accidentally exposed its readers. The Cybernews research team has discovered an unprotected ClickHouse database containing 150,000 entries with email addresses of paying subscribers, alongside 11 million other log entries tracking the clicks and scrolls of the newspaper website’s regular visitors.

Founded in 1969, Il Manifesto has long been an institution of Italy’s radical left. It ran candidates in the 1972 general elections, pulling in a modest 0.67% of the vote before eventually parting ways with the political party it helped create. The paper survived a neo-fascist bombing attempt in 2000.

Owned today as a non-profit cooperative, Il Manifesto claims a daily circulation of around 15,000 copies.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

What data has been leaked?

Technical details regarding visitors' devices
Session tokens
Email addresses
IP addresses
GeoIP information, accurate within 11 meters
Identified referrers that revealed how readers found their way to the paper’s articles

Readers at risk

The leak does not include passwords or direct account credentials. While session cookies were exposed, our researchers doubt that they would have made full account hijacking feasible. Yet the sensitivity of this data lies elsewhere.

Because Il Manifesto is an overtly political publication, its readership carries a distinct political identity. Knowing which individuals read which articles effectively means knowing something about their political interests, perhaps even their beliefs.

Under European privacy law, that kind of data is considered “special category” information, subject to stricter protections than ordinary personal details.

If leaked publicly or accessed by politically motivated actors, website owners, as well as readers, may face harassment campaigns or surveillance by government entities.

The leak also revealed Il Manifesto’s internal website analytics, insights into article performance, audience behavior, and referral sources. Competitors could mine that for free business intelligence.

It’s unclear whether anyone accessed the data maliciously, but despite Cybernews's attempts to contact the newspaper and Italy’s CERT, access to the database remains open. Journalists’ attempts to contact the cooperative remained unanswered.

Cybernews researchers highlight the importance of enabling authentication on the affected database.

Other actions highly recommended for the company include employing IP whitelisting to ensure that only authorized employees and systems can access the data stored within.

Common cybersecurity loophole

Sadly, it’s not uncommon for companies to make sensitive data public, potentially handing it to threat actors without the need for them to even lift a finger.

If access to databases is left without proper authentication, the data can be indexed by search engines and become accessible to anyone online. Threat actors are constantly scanning the internet, seeking unsecured databases to steal sensitive data.

Cybernews research has shown that leaks, where companies fail to secure access to digital infrastructure, are a very common and yet underestimated issue.

One of the biggest such mishaps within the media sector affected the Thomson Reuters conglomerate, which has $6.35 billion in annual revenue.

Cybernews researchers discovered that the media giant left three databases with at least 3TB of sensitive data exposed, including plaintext passwords to third-party servers. The leaked data was likely worth millions of dollars on underground criminal forums.