Earlier this month, a hacker named Lovely claimed to have breached a Condé Nast user database and released a listing of greater than 2.3 million user records from our sister publication WIRED. The released materials contain demographic information (name, email, address, phone, etc.), but no passwords.
The hacker also says that they’ll release a further 40 million records for other Condé Nast properties, including our other sister publications Vogue, The Recent Yorker, Vanity Fair, and more. Of critical note to our readers, Ars Technica was not affected as we run on our own bespoke tech stack.
The hacker said that they’d urged Condé Nast to patch vulnerabilities to no avail. “Condé Nast doesn’t care concerning the security of their users data,” they wrote. “It took us a whole month to persuade them to repair the vulnerabilities on their web sites. We’ll leak more of their users’ data (40 + million) over the subsequent few weeks. Enjoy!”
It’s unclear how altruistic the motive really was. DataBreaches.Net says that Lovely misled them into believing they were attempting to help patch vulnerabilities, when in point of fact, it appeared that this hacker was a “cybercriminal” in search of a payout. “As for “Lovely,” they played me. Condé Nast should never pay them a dime, and nobody else should ever, as their word clearly can’t be trusted,” they wrote.
Condé Nast has not issued an announcement, and we’ve got not been informed internally of the hack (which isn’t surprising, since Ars isn’t affected).
Hudon Rock’s InfoStealers has a superb rundown of what has been exposed.
