New York Times says data breach affected freelance visual contributors

The New York Times sent out breach notification letters this week to several freelancers that had information involved in an incident uncovered last week.

A spokesperson for the newspaper told Recorded Future News that the letters were sent to freelance visual contributors that have done work for the Times in recent years.

“The New York Times recently communicated to some of our contributors regarding an incident that resulted in the exposure of some of their personal information,” said Charlie Stadtlander managing director of external communications. “We don’t have indications the data exposure extended to full-time newsroom staff or other contributors.”

Stadtlander declined to say how many people were being sent the letters but at least one victim posted the letter on social media.

The letter warns that around June 6, data on the contributors was “inadvertently exposed and posted on a third party site.” The leak included a file that contained some personal information including names, phone numbers, email addresses, mailing address, nationality, biography, social media information and other data on specific assignments.

Stadtlander confirmed that the letters were related to a headline-grabbing incident last week, when someone posted a link to 270 GB of data that included some source code from the New York Times as well as The Athletic — a sports news outlet owned by the newspaper.

Researchers said they also found the original source code for the Wordle game, some website user data, internal Slack communications, passwords and data about the internal architecture of New York Times platforms.

Stadtlander previously told Recorded Future News that the data was stolen during a security incident in January 2024, when “a credential to a cloud-based third-party code platform was inadvertently made available.”

“The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event,” he said.

“Our security measures include continuous monitoring for anomalous activity.”

Stadtlander declined to answer any other questions about data or information that was allegedly involved in the breach.

Several experts said they believe the type of data stolen likely came from a platform like GitHub, and the newspaper confirmed last week that GitHub was the third-party platform breached in comments to BleepingComputer.