The New York Times has warned a number of its freelance associates that their data may have been stolen in a recent attack on its GitHub repositories.
News recently broke of a hacker posting source code belonging to the New York Times Company on the anonymous imageboard, 4chan.
The archive contained some 5,000 repositories, and 3.6 million files, which were made available for download via peer-to-peer networks. Among the files were Wordle blueprints, email marketing campaign information, ad reports, and more.
Phishing with job ads
At this time, we don’t know how many freelancers are affected by the breach, but we do know that the hackers stole their full names, together with a combination of either phone numbers, email addresses, postal addresses, nationality, biographies, website URLs, and social media handles.
In some cases, the attackers also obtained information relevant to different assignments, such as diving or drone certifications, or access to specialized equipment.
“The New York Times recently communicated to some of our contributors regarding an incident that resulted in the exposure of some of their personal information,” a Times spokesperson told BleepingComputer. “We sent this note to freelance visual contributors that have done work for The Times in recent years. We don’t have indications the data exposure extended to full-time newsroom staff or other contributors.”
Cybercriminals could make good use of such data, to mount highly disruptive phishing attacks. For example, North Korean state-sponsored hackers, Lazarus Group, were seen making fake job ads and distributing infostealers masqueraded as job requirement documents. One of these attacks resulted in the theft of more than half a billion dollars from a cryptocurrency company.
Freelancers are always looking for new job opportunities, which could make them more susceptible to phishing emails, compared to the average consumer. Especially if the new gig seemingly comes from the New York Times.