Cybersecurity Breach: Hacker threatens to expose 2.3 million WIRED database records

A cybersecurity breach has recently occurred at Condé Nast, where a hacker claims to have accessed and leaked an alleged WIRED database containing over 2.3 million subscriber records. The hacker, known as “Lovely,” has further threatened to release up to 40 million additional records from other Condé Nast properties.

On December 20, Lovely shared the database on a hacking forum, offering access for a nominal fee. The hacker accused Condé Nast of neglecting security vulnerabilities and failing to prioritize user data protection.

A post on the forum stated, “Condé Nast does not care about the security of their users’ data. It took us an entire month to convince them to fix the vulnerabilities on their websites.”

“We will leak more of their users’ data (40+ million) over the next few weeks. Enjoy!” Lovely declared.

Subsequently, Lovely disseminated the data on other forums, requiring users to utilize forum credits to access the passwords for the data archive.

Additionally, Lovely disclosed the number of records stolen from various Condé Nast properties, including The New Yorker, Epicurious, SELF, Vogue, Allure, Vanity Fair, Glamour, Men’s Journal, Architectural Digest, Golf Digest, Teen Vogue, Style.com, and Condé Nast Traveler.

Although Condé Nast has not officially confirmed the breach, an analysis by BleepingComputer verified twenty records as legitimate WIRED subscribers from the leaked database.

The dataset comprises 2,366,576 records with unique email addresses, spanning from April 26, 1996, to September 9, 2025. Each record includes a subscriber’s unique ID, email address, and optional data like name, phone number, address, gender, and birthday.

See also  Inotiv's Data Breach: A Pharma Firm's Fight Against Ransomware

While many records have empty fields, some contain personal details. Approximately 12.01% include both first and last names, 8.21% have physical addresses, 2.84% include birthdays, and 1.37% have phone numbers. A smaller subset contains full profiles.

Alon Gal, CTO of Hudson Rock, authenticated the records using infostealer logs with previously compromised credentials, confirming the dataset’s legitimacy.

The leaked database has been added to Have I Been Pwned for users to check if their email addresses were exposed.

Claiming to be a security researcher

Prior to the leak, Lovely purported to be a security researcher who reached out to Dissent Doe of DataBreaches.net for assistance in responsibly disclosing vulnerabilities to Condé Nast. Despite initial claims of downloading only a few records for proof, Lovely eventually downloaded the entire database due to lack of response from Condé Nast.

Dissent Doe expressed feeling misled by Lovely, labeling the incident as a situation where responsible disclosure was bypassed in favor of data leakage. DataBreaches.net emphasized the need for cautious trust.

BleepingComputer attempted to contact Condé Nast for comments on the breach but has not yet received a response.

Enhance your IAM strategy with our comprehensive guide. Learn why traditional practices fall short, explore exemplary IAM models, and access a checklist for building a robust strategy.

Get the guide