Forgot your password?
typodupeerror
Security Spam IT

New York Times Hacked? 103

Posted by samzenpus
from the fox-in-the-henhouse dept.
First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.
This discussion has been archived. No new comments can be posted.

New York Times Hacked?

Comments Filter:
  • by elrous0 (869638) * on Wednesday December 28, 2011 @03:50PM (#38518378)

    But then they found out that New Yorker readers were far too smug to lower themselves to reading email.

  • by KnightMB (823876) on Wednesday December 28, 2011 @03:56PM (#38518464)
    I've never subscribed to the New York times, yet my personal e-mail address got the same spam? Does this mean more than just a subscriber list was used or do they have a more extensive list that they have bought/captured over the years that's the equivalent of a giant spam list?
    • I do not have a home delivery subscription, just one for the Crossword puzzles, and I received not one, but two spam emails. One to an old email address I used for the account and one for the current email.

      As such, it appears that the list does include NY Times account holders of various types. Perhaps this was combined with other spam lists too.

    • by DragonHawk (21256) on Wednesday December 28, 2011 @04:04PM (#38518550) Homepage Journal

      It could also be that some con-artist somewhere is sending out phishing emails, designed to look like Times cancellation notices, and sent to large numbers of harvested email addresses. Since the set of NYT subscribers with an email address is a proper subset of the set of people with an email address, a lot of NYT subscribers would still be hit.

      But "New York Times Hacked" makes for a better headline.

    • never subscribed... , yet my personal e-mail address got the same spam. Does this mean more than just a subscriber list was used or do they have a more extensive list

      That means that NYT might not have been compromised. The e-mail spammer just took advantage of NYT to ensnare recipients or intends to damage NYT.
      • by dzfoo (772245)

        I would agree, except for the fact that I received the message on a throw-away address I only gave the New York Times to use their app.

        It seems clear to me then that their accounts list was compromised.

              dZ.

    • by antdude (79039)

      Same here. They only have my e-mail address because I use to log in. BugMeNot's accounts don't always work.

  • NY Times Response (Score:5, Informative)

    by NotSanguine (1917456) on Wednesday December 28, 2011 @03:57PM (#38518468) Journal
    Is this [nytimes.com]
    • by cultiv8 (1660093)

      We’re working to coordinate a response

      Good to know they're on top of things.

      • Re:NY Times Response (Score:4, Interesting)

        by Skapare (16644) on Wednesday December 28, 2011 @04:35PM (#38518860) Homepage

        They also need to get their DNS updated to also include a genuine SPF record and not rely entirely on the TXT record.

        • There's no reason to do so: SPF has no anti-spam and no anti-forgery value in the contemporary environment. (That's why, despite the desperate flogging by the ignorant who claim that SPF is anything from a preventative to a magic cure-all, the largest adopters of SPF to date are spammers.)
          • the largest adopters of SPF to date are spammers.

            By what measure? Every large e-mail company publishes SPF records. Lots of small ones do too.

            I'd be surprised if the vast majority of active e-mail accounts didn't have SPF records to check (excepting Yahoo, which is domainkeys-or-bust).

  • by LostCluster (625375) * on Wednesday December 28, 2011 @03:59PM (#38518480)

    This appears to be a phishing attack aimed at getting NY Times readers to re-up their subscription with a phony contact given. Looks like their e-mail list got leaked.

    • by Scavia (2541190)
      Could it be that an NYT staffer screwed up, or is it a for-real phishing attempt?
      • by Skapare (16644)

        Look at the headers and see if the SMTP connection really came from 208.70.142.0/23 or not.

    • by dzfoo (772245) on Wednesday December 28, 2011 @04:34PM (#38518852)

      Then how would you explain that I received the message on an e-mail address that I made specifically to use the NYT app and never have used for anything else?

      That automatically rules out a third party. It was either sent in error, or their user accounts list was indeed compromised.

      A possible third alternative is that they shared their accounts list with a partner that was then compromised. Either way it seems the list was compromised.

      • That's what I get for RFTAing... the e-mail clearly identifies it as a print subscription being canceled, but your report of it going out to app users shows a wider breach than I first thought.

    • by fermion (181285)
      As mentioned, the NYT is now taking responsibility for this. I don't know if it was an error or disgruntled employee. I know that this is not the first mistaken email I have received over the holiday. I don't know what precautions these companies have to prevent a single employee from sending mass emails, but it appears the security is minimal.

      What I can say is that the headers appear to indicate that the email is from the NYT servers. There are no fancy links in the email that would otherwise be used

    • This post was written before the thread below it proved my theories wrong.

  • by jerryasher (151512) on Wednesday December 28, 2011 @03:59PM (#38518488)

    I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.

    Joe Katz on twitter says the same thing:

    "Joe Katz @joekatz 1h
    @NYTPRGUY thing is, I got a "subscription cancelled" message sent to an email alias that only @NYTimes has for me. Was your list hacked?"

    So remember folks when you outsource your IT and marketing and provide them your customer data, you are opening your customers up to their low security practices.

    • I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.

      Indeed, this will probably force the NYT to shed light on who they share their subscribers' contact information with.

  • by milbournosphere (1273186) on Wednesday December 28, 2011 @04:00PM (#38518498)
    I got the supposed cancellation email this morning, for a subscription I haven't had in almost three years. I was going to call, but I guess I'll just ignore it for now. Text of the email I received is below.

    Dear Home Delivery Subscriber, Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps. We do hope you’ll reconsider. As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.* Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad® apps, plus you can now share your unlimited access with a family member. To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

    Doesn't look like they're trolling for information, but I have not tried the number.

    • To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

      Doesn't look like they're trolling for information, but I have not tried the number.

      The phone number above asks you to send a fax to a different number. They're *definitely* trolling. Note that the real phone number is 1 800 NYTIMES.

      • by Anonymous Coward

        Ooh, ooh, ooh... FAX?

        I predict they will begin receiving sheets of black construction paper shortly...

        • Ooh, ooh, ooh... FAX?

          I predict they will begin receiving sheets of black construction paper shortly...

          I recommend full color Goatse.

        • by pz (113803)

          Oh, man what a *great* idea, thanks!

    • by C-Shalom (969608)
      It's from the same IP address as their other marketing emails regarding digital subscriptions and also their "Exclusively for Times Subscribers" newsletters

      208.70.142.121

      It's from them or their marketing partner.
      I'm putting my money on a marketing campaign gone wrong.
      • Ah, a WHOIS lookup shows that it's the incompetent spammers-for-hire at Epsilon. (Go Google "epsilon spam" for a glimpse at the tip of the iceberg. I'll wait.)

        Back? Good. Epsilon does spam-for-hire for a number of companies; apparently the crack reporting staff at the NYT isn't intelligent or diligent enough to figure this out and report it to their own management. This is hardly the first incident involving them -- or rather, it's hardly the first widely-known incident involving them. Those of us
    • by Skapare (16644)

      Post the email headers ... at least the one showing where the SMTP connection came from.

      • from: The New York Times nytimes@email.newyorktimes.com
        reply-to: "\"no-reply\""
        to: nonyerdamnbiznezz@somemaildrop.com
        date: Wed, Dec 28, 2011 at 12:35 PM
        subject: Important information regarding your subscription
        mailed-by: email.newyorktimes.com

      • Full header is below:

        Delivered-To: my.email@gmail.com
        Received: by 10.236.22.4 with SMTP id s4cs215803yhs;
        Wed, 28 Dec 2011 10:41:55 -0800 (PST)
        Received: by 10.224.34.17 with SMTP id j17mr39609944qad.22.1325097714240;
        Wed, 28 Dec 2011 10:41:54 -0800 (PST)
        Return-Path: <1957cf945layfovciab7saeiaaaaaazzkodoqoseiuiyaaaaa@email.newyorktimes.com>
        Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121])
        by mx.google.com with ESMTP id k1si20381231qap.21.2011.12.28.10.41.53;
        Wed, 2

  • I really like the walled garden they implemented. It's essentially a "fenced garden." It allows you 20 articles a month for free before bugging you about a subscription. If you follow a link to a story, you can read the story even after the 20 articles are up. You can always browse the main pages for each section. With trivial effort you can call up an article after your 20 articles are done. They don't try to be asses about it.I hope they're finding success with this model, so other companies will adopt it
    • 20 articles? I could use that allotment up in a day or two.

    • by theillien (984847)
      I definitely don't like the WSJ method. I've yet to read a full article on their site because I refuse to be lured in with partials. If it's genuinely news, I'll be able to find it elsewhere and likely for nothing more than ads on my screen.
    • by Pausanias (681077)

      Their walled garden takes cash from people who can afford it AND (want to support the times OR are too stupid to clear cookies).

      The rest of us can either not read it or read it for free.

      I like it. This should be the funding model for the Internet. Kind of like the art patrons of the renaissance.

  • DNS Hack? (Score:4, Informative)

    by Midnight_Falcon (2432802) on Wednesday December 28, 2011 @04:02PM (#38518530)
    At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200). However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously. Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging. So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.
    • by Skapare (16644)

      Or ... the hack could have actually been executed inside the NYT network. We know big businesses are incapable of completely securing their networks, so it is plausible. Or it could have been a staffer error. We'll never know because people at NYT are all too familiar with all the many ways of covering up bad stuff.

      • You've forgot about the biggest factor inhibiting a cover-up -- the other news organizations! The NYT has a lot of rivals out there, and it's certain that the Wash Post or Reuters etc would love to run stories about their poor security, if that's the case.

        The NY times has been hacked before and is frequently a target for hackers, defacements etc and very likely invests a good sum of money in internal security. However, their mass emails are done by an external vendor, and that's just probably managed as

  • If you surf their site with Javascript turned off, you don't have to sign in at all.

  • Not surprising (Score:5, Interesting)

    by cultiv8 (1660093) on Wednesday December 28, 2011 @04:04PM (#38518542) Homepage
    Someone wrote 4 lines of CSS & JS [slashdot.org] and was able to haxxor NYTimes paywall. A guru hacker [sfphp.org] is not necessary.
  • Reinforces my earlier conclusion that their upstream MTA agent provider for mass mailings had been compromised, and likely still is.

    Available here: https://gist.github.com/1529336 [github.com]

    Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121]) by mx.google.com with ESMTP id v2si13633651ane.208.2011.12.28.10.17.18; Wed, 28 Dec 2011 10:17:18 -0800 (PST)

    Interesting areas:

    DKIM-Signature: v=1; a=rsa-sha1; d=email.newyorktimes.com; s=ei; c=simple/simple; DomainKey-Signature:

  • Wow, this is really gonna screw with their business model. This was the first year the NYT was trying to push a lot of longtime loyal readers into paid subscriptions (last year got covered by a grant from GM, I think). Now I'm really, really reluctant to give them credit card info. Way to epic fail there, guys.
  • I received a similar message. For the past year, I've had a subsidized, free subscription to the website, and I've been notified that my access will be cut off (or greatly curtailed) if I don't upgrade to a regular digital subscription. I had thought that the subscription department was proposing a new offer-- half price for 16 weeks, rather than 99 cents for the first 8 weeks, then a regular rate afterwards.

    • by rk2z (649358)
      Yeah same thing happened to me, I get the Sunday times and got a new Credit card number and figure they canceled me when my auto bill didn't work. Too bad I was hopping for 50% off. ;(
  • Wonder if the names and cc#s of subscribers will get pastebin'd. Did NYT cover Anonymous' stratfor attack unfavorably or something?
  • I got one today as well. Thought it was strange since I have an account on the web site, but I'm not actually a subscriber. Good to know that it's a mistake and that I'm not using that account for anything important. Hope they weren't hacked though.

  • by Faizdog (243703) on Wednesday December 28, 2011 @04:22PM (#38518740)

    So I got the email in my Gmail account, which is how I've signed up for home delivery of the NYT. I'll foolishly admit that I was fooled, and called the number in the email and got the recorded message saying that the line was busy (maybe that was the whole point, now they've got my number too).

    Anyway, I didn't want to lose the delivery, so I marked the email as unread so that I could address it later and logged out of Gmail.

    After about 20/30 minutes when this story broke on /. and other sties, I figured I'd log back into Gmail, check my email (what you don't compulsively check email?) and delete this spam. I couldn't find it in my inbox! I checked the trash thinking I may have deleted it, but it wasn't there. Then I thought to check the SPAM folder, and sure enough it was in there, still marked as unread.

    Gmail updated the spam policy to classify this specific email as spam in about 20 minutes, where as it had made it into my inbox before.

    Upon reflection, it's not surprising, I'm sure a lot of users marked it as SPAM in the last 20 minutes, but still was interesting for me to note. Gmail's spam filter is usually pretty good, I NEVER even look in the spam folder (even for false positives) so this was an interesting experience. I wonder if I'd left it marked as "read" and not remarked it as "unread" if it would still have been moved out from my inbox to the spam list?

    • by plebeian (910665)
      FYI: I read the message, it is still in my Gmail inbox. I guess their spam filter was only applied to the unread messages..
    • First, the proper term is "spam"; never "SPAM". The former refers to unsolicited bulk email; the latter refers to a product of the Hormel Corporation.

      Second, having conducted extensive testing on Gmail's spam filter, I can only award it a C; both its false positive and false negative rates are unacceptably high, certainly not good enough to qualify for professional use. (However, let me note in passing that this mediocre performance is still much better than that of others competing in the same space;
    • After about 20/30 minutes when this story broke on /. and other sties,

      Hey, watch it...it may be a little messy here, but its no stie !

      -KI
    • by TheBAFH (68624)

      I think that this is biggest news than the article itself. As a sysadmin, i consider the inbox of the mail server write-only. Altering the inbox in any other way except dropping messages in it, should be only done by the user or with the user's consent.

  • Sounds like someone forgot the WHERE clause when sending out the email.

  • by gstrickler (920733) on Wednesday December 28, 2011 @05:05PM (#38519126)

    According the the linked article, an update from NYT indicates that they sent the email. It was supposed to go to 300 people, instead, it went to all 8M people with NYT accounts.

  • I had been a registered user long ago, stopped going there ever since they put up a paywall. I got a spam from them today. I thought it was odd. Anyway, they have been keeping all email addresses, have not deleted any. So subscribers, beware, they probably save the URL of every article you read.
  • I just got this:

    Dear New York Times Reader,

    You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."

    This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.

    Sincerely,

    The New York Times

  • It looks like someone at the Times made a mistake.

    I just received this from NYTimes:
    "Dear New York Times Reader,
    You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."
    This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
    Sincerely,
    The New York Times"

  • by 93 Escort Wagon (326346) on Wednesday December 28, 2011 @06:48PM (#38520322)

    It's not unusual for this sort of thing to happen, unfortunately. Within the past year I've received at least two spammy emails from different companies which were followed in short time by a second email apologizing for the error. People make mistakes, and always have - so, when it involves electronic communication, I wonder why we're so prone to immediately blaming a hacker for it when a simpler explanation is readily available?

    If someone were to hack the New York Times, I wouldn't think sending out cancellation notices would be high on their "to do" list - whether they were a kiddie hacker or of a more serious bent.

    • by Megaflux (1803738)
      I think the reason is that if you say it is an hacker or a virus, your manager will accept the answer (maybe because he decreased the security budget and starts thinking its his fault), whereas if you say it was an human error the finger pointing is starting really fast and people are afraid of that and trying to postpone the problem (or it maybe going away completely unrecognized as an human error).
  • One of my first jobs was as a route driver for the NYT. It was a crappy job, the pay sucked, and it wore on my car something fierce. And I left a relative at home every night and didn't realize they were going insane, quite literally, with worry about me out driving the streets.

    However, the job taught me a LOT about how to organize a delivery route for efficiency, I got to drive all over literally the richest neighborhood in my city, and for a period of time, I was proud to say I worked for The New York

  • New York Times; I thought they were on Linux? Hmmm
  • by WileyC (188236)

    I was hoping they replaced the articles with million-monkey random gibberish... at least then there would be the chance of some accuracy slipping in!

Sentient plasmoids are a gas.

Working...