A hacker has claimed to have leaked a database containing millions of user records tied to Condé Nast Inc.’s WIRED magazine, with the data first appearing on the Breach Stars cybercrime forum and quickly spreading across other underground marketplaces.
The dataset, which first surfaced late last week, is being advertised as containing more than 23 million records allegedly associated with WIRED.com users and subscribers. The data includes a wide range of personally identifiable information, including email addresses, usernames, full names and, in some cases, phone numbers and physical mailing addresses.
The threat actor, using the alias “Lovely,” claims the leak is part of a broader compromise affecting Conde Nast’s shared account infrastructure. The hacker alleges to have access to data connected to tens of millions of users across Condé Nast’s wider portfolio of publications, including brands such as Vogue, GQ, Vanity Fair and The New Yorker.
At this stage, however, only the WIRED dataset has been publicly released and the full scope of the intrusion remains unverified.
Parts of the leaked data have been confirmed as being legitatement and correspond to real user accounts, lending credibility to claims that the data originated from Condé Nast systems rather than being fabricated or recycled from older breaches.
Condé Nast has not publicly confirmed a breach as of the time of writing, nor has it disclosed details about any internal investigation or remediation efforts.
WIRED subscribers should be on alert for unsolicited emails referencing subscriptions or account issues, should avoid links or attachments from unexpected messages and should use unique passwords across services.
Discussing the breach and particularly the lack of official disclosure, Chris Radkowski, governance, risk and compliance expert at identity governance company Pathlock Inc., told News via email that “if a breach involving user-sensitive data is confirmed, organizations are typically required to assess notification obligations under applicable privacy regulations.”
“For example, under the European Union General Data Protection Regulation, companies must notify regulators within 72 hours of becoming aware of a personal data breach, while U.S. state laws impose varying timelines and disclosure requirements depending on the data involved and residency of affected users,” explains Radkowski. “Meeting these obligations depends heavily on having visibility into who had access to what data, when, and under which permissions.”
“Without strong identity governance and access controls, organizations often struggle to quickly define the scope of an incident, which can delay notifications and increase regulatory and operational risk,” added Radkowski.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
