New York Times Hacked?

First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.

Well, they tried hacking the The New Yorker first

[elrous0]

But then they found out that New Yorker readers were far too smug to lower themselves to reading email.

Re:

[sleeepy2]

I got the email about my canceled subscription and I have never subscribed to the Times. Weird.

Re:

[jrminter]

Me too. Just thought it was spam...

Re:

[madhi19]

Yep got it also it a clever attack phishing by hacking somebody else. Am impressed if I was a sub I might even have fallen for it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hesaigo999ca]

I got a call from a girl telling me that we can not see each other anymore, and I did not even have a girlfriend.

Re:Well, they tried hacking the The New Yorker fir

[Mashiki]

Too true, and too funny. You forgot to mention that this is also a method to retain customers after their dismal and continual failure to retain a readership base.

Re:Well, they tried hacking the The New Yorker fir

[Anonymous Coward]

I was happy I was unsubscribed, as I have never signed up for anything New York times related ever. So that information that I was unsubscribed had me thanking God.

Sadly, it now appears to be a hoax. I am now crushed in despair.

Re:

[Lunix Nutcase]

[neckbeard mode]

The term is "cracked" not "hacked". When will those stupid lusers ever learn the difference?

[neckbeard mode]

Re:

[flyingsquid]

UPDATE:The Times mistakenly sent e-mails today to subscribers and others, erroneously stating that home delivery of the newspaper had been canceled. We apologize for the inconvenience.

Re:

[LostCluster]

Can't be so sure of that... did people give up their account info to the man-in-the-middle thinking it would continue a subscription somebody else in the household seemed to have canceled?

Re:

[Feyshtey]

Woosh.

Re:

[Runaway1956]

What MIM attack do you refer to? The email gives a phone number to contact, not an email or web page. Unless they have found a way to proxy telephone calls, I don't think it's a MIM.

Re:

[LostCluster]

There are plenty of corrupt call centers in the world. They'll answer the phone and collect data based on the check clearing and not whether they've been hired by the legit management of the brand they answer the phone as. Some call centers are stupid enough to think they're doing the right thing when really they're supplying credit card numbers to the wrong people.

Re:

[lexsird]

Nothing of value lost. He's dissing the NY times as no big loss if you don't get it anymore.

It's probably something schemed up by some agents in support of this draconian bill they are trying to pass.

Re:

[LostCluster]

We take NY Times articles about tech seriously around here. The dead tree edition may be falling apart and their info-wall turned pay-wall strategy might not be liked, but Slashdot would be worse off if the NY Times was to fail completely.

Re:

[lexsird]

Interesting.

I am thinking it's a known left leaning publication and the Right wants SOPA jammed through because they want a foot in the door, to lay down foundations for more intrusive measures into the Internet. Frankly it's a thorn in their sides, they could have swept OWS under the rug if it wasn't for the Internet. I figure it's another cheesy black ops project ran by some out of control spooks either from an alphabet agency or worse, some corporate cowboys that are completely off radar.

If they can dist

Seems the New York Times keeps a spam list

[KnightMB]

I've never subscribed to the New York times, yet my personal e-mail address got the same spam? Does this mean more than just a subscriber list was used or do they have a more extensive list that they have bought/captured over the years that's the equivalent of a giant spam list?

Re:

[NotSanguine]

I do not have a home delivery subscription, just one for the Crossword puzzles, and I received not one, but two spam emails. One to an old email address I used for the account and one for the current email.

As such, it appears that the list does include NY Times account holders of various types. Perhaps this was combined with other spam lists too.

Could be untargeted phishing

[DragonHawk]

It could also be that some con-artist somewhere is sending out phishing emails, designed to look like Times cancellation notices, and sent to large numbers of harvested email addresses. Since the set of NYT subscribers with an email address is a proper subset of the set of people with an email address, a lot of NYT subscribers would still be hit.

But "New York Times Hacked" makes for a better headline.

Re:

[sgbett]

I's say its a mechanical turk implementation of a DDOS!

Spam a bunch of people pretending to be target. A certain percentage of people think e-mail is real and flood legitimate communication channels of said target. (???? / Profit)

Re:Could be untargeted phishing

[postbigbang]

The bounce in the header of the message implies that it was triggered internally. It wouldn't have been used to launder the list, because the bounces would have gone back to NYT.

My guess is that it's not a DDOS, it's a fuckup.

Yup, it's a fuckup

[DragonHawk]

My guess is that it's not a DDOS, it's a fuckup.

Looks like you get the gold star. Good call. :)

Re:

[madhi19]

If I had the point I mod up you just for the mturk reference! loll

Re:

[muon-catalyzed]

never subscribed... , yet my personal e-mail address got the same spam. Does this mean more than just a subscriber list was used or do they have a more extensive list

That means that NYT might not have been compromised. The e-mail spammer just took advantage of NYT to ensnare recipients or intends to damage NYT.

Re:

[dzfoo]

I would agree, except for the fact that I received the message on a throw-away address I only gave the New York Times to use their app.

It seems clear to me then that their accounts list was compromised.

      dZ.

Re:

[antdude]

Same here. They only have my e-mail address because I use to log in. BugMeNot's accounts don't always work.

NY Times Response

[NotSanguine]

Is this [nytimes.com]

Re:

[cultiv8]

We’re working to coordinate a response

Good to know they're on top of things.

Re:NY Times Response

[Skapare]

They also need to get their DNS updated to also include a genuine SPF record and not rely entirely on the TXT record.

Re:

[Arrogant-Bastard]

There's no reason to do so: SPF has no anti-spam and no anti-forgery value in the contemporary environment. (That's why, despite the desperate flogging by the ignorant who claim that SPF is anything from a preventative to a magic cure-all, the largest adopters of SPF to date are spammers.)

Re:

[bill_mcgonigle]

the largest adopters of SPF to date are spammers.

By what measure? Every large e-mail company publishes SPF records. Lots of small ones do too.

I'd be surprised if the vast majority of active e-mail accounts didn't have SPF records to check (excepting Yahoo, which is domainkeys-or-bust).

Print Subscribers Only

[LostCluster]

This appears to be a phishing attack aimed at getting NY Times readers to re-up their subscription with a phony contact given. Looks like their e-mail list got leaked.

Re:

[Scavia]

Could it be that an NYT staffer screwed up, or is it a for-real phishing attempt?

Re:

[Skapare]

Look at the headers and see if the SMTP connection really came from 208.70.142.0/23 or not.

Re:Print Subscribers Only

[dzfoo]

Then how would you explain that I received the message on an e-mail address that I made specifically to use the NYT app and never have used for anything else?

That automatically rules out a third party. It was either sent in error, or their user accounts list was indeed compromised.

A possible third alternative is that they shared their accounts list with a partner that was then compromised. Either way it seems the list was compromised.

Re:

[LostCluster]

That's what I get for RFTAing... the e-mail clearly identifies it as a print subscription being canceled, but your report of it going out to app users shows a wider breach than I first thought.

Re:

[fermion]

As mentioned, the NYT is now taking responsibility for this. I don't know if it was an error or disgruntled employee. I know that this is not the first mistaken email I have received over the holiday. I don't know what precautions these companies have to prevent a single employee from sending mass emails, but it appears the security is minimal.

What I can say is that the headers appear to indicate that the email is from the NYT servers. There are no fancy links in the email that would otherwise be used

Mod my own post down...

[LostCluster]

This post was written before the thread below it proved my theories wrong.

Used the unique address I gave to the NY Times

[jerryasher]

I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.

Joe Katz on twitter says the same thing:

"Joe Katz @joekatz 1h
@NYTPRGUY thing is, I got a "subscription cancelled" message sent to an email alias that only @NYTimes has for me. Was your list hacked?"

So remember folks when you outsource your IT and marketing and provide them your customer data, you are opening your customers up to their low security practices.

this will shed light

[l2718]

I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.

Indeed, this will probably force the NYT to shed light on who they share their subscribers' contact information with.

I can confirm the email being sent out.

[milbournosphere]

I got the supposed cancellation email this morning, for a subscription I haven't had in almost three years. I was going to call, but I guess I'll just ignore it for now. Text of the email I received is below.

Dear Home Delivery Subscriber, Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps. We do hope you’ll reconsider. As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.* Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad® apps, plus you can now share your unlimited access with a family member. To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

Doesn't look like they're trolling for information, but I have not tried the number.

Re:

[NotSanguine]

To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

Doesn't look like they're trolling for information, but I have not tried the number.

The phone number above asks you to send a fax to a different number. They're *definitely* trolling. Note that the real phone number is 1 800 NYTIMES.

Re:

[Anonymous Coward]

Ooh, ooh, ooh... FAX?

I predict they will begin receiving sheets of black construction paper shortly...

Re:

[NotSanguine]

Ooh, ooh, ooh... FAX?

I predict they will begin receiving sheets of black construction paper shortly...

I recommend full color Goatse.

Re:

[pz]

Oh, man what a *great* idea, thanks!

Re:

[C-Shalom]

It's from the same IP address as their other marketing emails regarding digital subscriptions and also their "Exclusively for Times Subscribers" newsletters

208.70.142.121

It's from them or their marketing partner.
I'm putting my money on a marketing campaign gone wrong.

Re:

[Arrogant-Bastard]

Ah, a WHOIS lookup shows that it's the incompetent spammers-for-hire at Epsilon. (Go Google "epsilon spam" for a glimpse at the tip of the iceberg. I'll wait.)

Back? Good. Epsilon does spam-for-hire for a number of companies; apparently the crack reporting staff at the NYT isn't intelligent or diligent enough to figure this out and report it to their own management. This is hardly the first incident involving them -- or rather, it's hardly the first widely-known incident involving them. Those of us

Re:

[Skapare]

Post the email headers ... at least the one showing where the SMTP connection came from.

Re:

[Runaway1956]

from: The New York Times nytimes@email.newyorktimes.com
reply-to: "\"no-reply\""
to: nonyerdamnbiznezz@somemaildrop.com
date: Wed, Dec 28, 2011 at 12:35 PM
subject: Important information regarding your subscription
mailed-by: email.newyorktimes.com

Re:

[milbournosphere]

Full header is below:

Delivered-To: my.email@gmail.com
Received: by 10.236.22.4 with SMTP id s4cs215803yhs;
Wed, 28 Dec 2011 10:41:55 -0800 (PST)
Received: by 10.224.34.17 with SMTP id j17mr39609944qad.22.1325097714240;
Wed, 28 Dec 2011 10:41:54 -0800 (PST)
Return-Path: <1957cf945layfovciab7saeiaaaaaazzkodoqoseiuiyaaaaa@email.newyorktimes.com>
Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121])
by mx.google.com with ESMTP id k1si20381231qap.21.2011.12.28.10.41.53;
Wed, 2

well-done walled garden

[noh8rz2]

I really like the walled garden they implemented. It's essentially a "fenced garden." It allows you 20 articles a month for free before bugging you about a subscription. If you follow a link to a story, you can read the story even after the 20 articles are up. You can always browse the main pages for each section. With trivial effort you can call up an article after your 20 articles are done. They don't try to be asses about it.I hope they're finding success with this model, so other companies will adopt it

Re:

[Jeremy Erwin]

20 articles? I could use that allotment up in a day or two.

Re:

[theillien]

I definitely don't like the WSJ method. I've yet to read a full article on their site because I refuse to be lured in with partials. If it's genuinely news, I'll be able to find it elsewhere and likely for nothing more than ads on my screen.

Re:

[Pausanias]

Their walled garden takes cash from people who can afford it AND (want to support the times OR are too stupid to clear cookies).

The rest of us can either not read it or read it for free.

I like it. This should be the funding model for the Internet. Kind of like the art patrons of the renaissance.

DNS Hack?

[Midnight_Falcon]

At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200). However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously. Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging. So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.

Re:

[Skapare]

Or ... the hack could have actually been executed inside the NYT network. We know big businesses are incapable of completely securing their networks, so it is plausible. Or it could have been a staffer error. We'll never know because people at NYT are all too familiar with all the many ways of covering up bad stuff.

Re:

[Midnight_Falcon]

You've forgot about the biggest factor inhibiting a cover-up -- the other news organizations! The NYT has a lot of rivals out there, and it's certain that the Wash Post or Reuters etc would love to run stories about their poor security, if that's the case.

The NY times has been hacked before and is frequently a target for hackers, defacements etc and very likely invests a good sum of money in internal security. However, their mass emails are done by an external vendor, and that's just probably managed as

Turn off Javascript when going to nytimes.com

[Anonymous Coward]

If you surf their site with Javascript turned off, you don't have to sign in at all.

Not surprising

[cultiv8]

Someone wrote 4 lines of CSS & JS [slashdot.org] and was able to haxxor NYTimes paywall. A guru hacker [sfphp.org] is not necessary.

Re:

[milbournosphere]

You dont' even need that. All you need to do is remove everything after the question mark in the url from the address bar, and refresh.

http://www.nytimes.com/2011/12/29/world/europe/despite-drop-in-borrowing-rates-italys-economic-travails-remain-acute.html?hp&gwh=EDDD7B35BB09C81DDA0899E0B59BC09C [nytimes.com]
changes to
http://www.nytimes.com/2011/12/29/world/europe/despite-drop-in-borrowing-rates-italys-economic-travails-remain-acute.html [nytimes.com]

Bam, all the free New York Times content you want.

Re:

[antdude]

Does it still work today?

I bookmarked it and tried a few NYT articles, but I keep gettings its JS code in my Mozilla's SeaMonkey v2.0.14 web browser? :(

Copy of E-mail headers

[Midnight_Falcon]

Reinforces my earlier conclusion that their upstream MTA agent provider for mass mailings had been compromised, and likely still is.

Available here: https://gist.github.com/1529336 [github.com]

Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121]) by mx.google.com with ESMTP id v2si13633651ane.208.2011.12.28.10.17.18; Wed, 28 Dec 2011 10:17:18 -0800 (PST)

Interesting areas:

DKIM-Signature: v=1; a=rsa-sha1; d=email.newyorktimes.com; s=ei; c=simple/simple; DomainKey-Signature:

Re:

[Midnight_Falcon]

Or the IT department of their upstream mail transfer provider, as most media agencies have rather than building an in-house network. I hope these systems are discrete.

well-timed blow

[Scavia]

Wow, this is really gonna screw with their business model. This was the first year the NYT was trying to push a lot of longtime loyal readers into paid subscriptions (last year got covered by a grant from GM, I think). Now I'm really, really reluctant to give them credit card info. Way to epic fail there, guys.

A phishing scheme with great timing?

[Jeremy Erwin]

I received a similar message. For the past year, I've had a subsidized, free subscription to the website, and I've been notified that my access will be cut off (or greatly curtailed) if I don't upgrade to a regular digital subscription. I had thought that the subscription department was proposing a new offer-- half price for 16 weeks, rather than 99 cents for the first 8 weeks, then a regular rate afterwards.

Re:

[rk2z]

Yeah same thing happened to me, I get the Sunday times and got a new Credit card number and figure they canceled me when my auto bill didn't work. Too bad I was hopping for 50% off. ;(

All the names fit to print.

[hawks5999]

Wonder if the names and cc#s of subscribers will get pastebin'd. Did NYT cover Anonymous' stratfor attack unfavorably or something?

I was wondering about that e-mail

[dekker]

I got one today as well. Thought it was strange since I have an account on the web site, but I'm not actually a subscriber. Good to know that it's a mistake and that I'm not using that account for anything important. Hope they weren't hacked though.

Gmail's SPAM filter updates/adapts fast!

[Faizdog]

So I got the email in my Gmail account, which is how I've signed up for home delivery of the NYT. I'll foolishly admit that I was fooled, and called the number in the email and got the recorded message saying that the line was busy (maybe that was the whole point, now they've got my number too).

Anyway, I didn't want to lose the delivery, so I marked the email as unread so that I could address it later and logged out of Gmail.

After about 20/30 minutes when this story broke on /. and other sties, I figured I'd log back into Gmail, check my email (what you don't compulsively check email?) and delete this spam. I couldn't find it in my inbox! I checked the trash thinking I may have deleted it, but it wasn't there. Then I thought to check the SPAM folder, and sure enough it was in there, still marked as unread.

Gmail updated the spam policy to classify this specific email as spam in about 20 minutes, where as it had made it into my inbox before.

Upon reflection, it's not surprising, I'm sure a lot of users marked it as SPAM in the last 20 minutes, but still was interesting for me to note. Gmail's spam filter is usually pretty good, I NEVER even look in the spam folder (even for false positives) so this was an interesting experience. I wonder if I'd left it marked as "read" and not remarked it as "unread" if it would still have been moved out from my inbox to the spam list?

Re:

[plebeian]

FYI: I read the message, it is still in my Gmail inbox. I guess their spam filter was only applied to the unread messages..

Re:

[Arrogant-Bastard]

First, the proper term is "spam"; never "SPAM". The former refers to unsolicited bulk email; the latter refers to a product of the Hormel Corporation.

Second, having conducted extensive testing on Gmail's spam filter, I can only award it a C; both its false positive and false negative rates are unacceptably high, certainly not good enough to qualify for professional use. (However, let me note in passing that this mediocre performance is still much better than that of others competing in the same space;

Re:

[Killer Instinct]

After about 20/30 minutes when this story broke on /. and other sties,

Hey, watch it...it may be a little messy here, but its no stie !

-KI

Re:

[TheBAFH]

I think that this is biggest news than the article itself. As a sysadmin, i consider the inbox of the mail server write-only. Altering the inbox in any other way except dropping messages in it, should be only done by the user or with the user's consent.

Missing WHERE?

[Lucabrasi]

Sounds like someone forgot the WHERE clause when sending out the email.

NYT admits they screwed up

[gstrickler]

According the the linked article, an update from NYT indicates that they sent the email. It was supposed to go to 300 people, instead, it went to all 8M people with NYT accounts.

I got one too.

[140Mandak262Jamuna]

I had been a registered user long ago, stopped going there ever since they put up a paywall. I got a spam from them today. I thought it was odd. Anyway, they have been keeping all email addresses, have not deleted any. So subscribers, beware, they probably save the URL of every article you read.

They're now claiming it was their error

[dekker]

I just got this:

Dear New York Times Reader,

You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."

This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.

Sincerely,

The New York Times

"e-mail sent by us in error"

[porsche911]

It looks like someone at the Times made a mistake.

I just received this from NYTimes:
"Dear New York Times Reader,
You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."
This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
Sincerely,
The New York Times"

Blame hacking by default

[93 Escort Wagon]

It's not unusual for this sort of thing to happen, unfortunately. Within the past year I've received at least two spammy emails from different companies which were followed in short time by a second email apologizing for the error. People make mistakes, and always have - so, when it involves electronic communication, I wonder why we're so prone to immediately blaming a hacker for it when a simpler explanation is readily available?

If someone were to hack the New York Times, I wouldn't think sending out cancellation notices would be high on their "to do" list - whether they were a kiddie hacker or of a more serious bent.

Re:

[Megaflux]

I think the reason is that if you say it is an hacker or a virus, your manager will accept the answer (maybe because he decreased the security budget and starts thinking its his fault), whereas if you say it was an human error the finger pointing is starting really fast and people are afraid of that and trying to postpone the problem (or it maybe going away completely unrecognized as an human error).

Re:

[Kalriath]

More likely is that they are just trying to coast off some media attention.

Hey I wanted the deal! Darn!

[RubberDogBone]

One of my first jobs was as a route driver for the NYT. It was a crappy job, the pay sucked, and it wore on my car something fierce. And I left a relative at home every night and didn't realize they were going insane, quite literally, with worry about me out driving the streets.

However, the job taught me a LOT about how to organize a delivery route for efficiency, I got to drive all over literally the richest neighborhood in my city, and for a period of time, I was proud to say I worked for The New York

New York Times,on Linux?

[dontgetshocked]

New York Times; I thought they were on Linux? Hmmm

Darn!

[WileyC]

I was hoping they replaced the articles with million-monkey random gibberish... at least then there would be the chance of some accuracy slipping in!