Slashdot Mirror
New York Times Hacked?
First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach."
Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.
But then they found out that New Yorker readers were far too smug to lower themselves to reading email.
SJW: Someone who has run out of real oppression, and has to fake it.
I got the email about my canceled subscription and I have never subscribed to the Times. Weird.
I've never subscribed to the New York times, yet my personal e-mail address got the same spam? Does this mean more than just a subscriber list was used or do they have a more extensive list that they have bought/captured over the years that's the equivalent of a giant spam list?
Is this
No, no, you're not thinking; you're just being logical. --Niels Bohr
This appears to be a phishing attack aimed at getting NY Times readers to re-up their subscription with a phony contact given. Looks like their e-mail list got leaked.
I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.
Joe Katz on twitter says the same thing:
"Joe Katz @joekatz 1h
@NYTPRGUY thing is, I got a "subscription cancelled" message sent to an email alias that only @NYTimes has for me. Was your list hacked?"
So remember folks when you outsource your IT and marketing and provide them your customer data, you are opening your customers up to their low security practices.
Too true, and too funny. You forgot to mention that this is also a method to retain customers after their dismal and continual failure to retain a readership base.
Om, nomnomnom...
Dear Home Delivery Subscriber, Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps. We do hope you’ll reconsider. As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.* Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad® apps, plus you can now share your unlimited access with a family member. To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).
Doesn't look like they're trolling for information, but I have not tried the number.
I really like the walled garden they implemented. It's essentially a "fenced garden." It allows you 20 articles a month for free before bugging you about a subscription. If you follow a link to a story, you can read the story even after the 20 articles are up. You can always browse the main pages for each section. With trivial effort you can call up an article after your 20 articles are done. They don't try to be asses about it.I hope they're finding success with this model, so other companies will adopt it instead of WSJ type approaches.
Can't be so sure of that... did people give up their account info to the man-in-the-middle thinking it would continue a subscription somebody else in the household seemed to have canceled?
At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200). However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously. Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging. So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.
If you surf their site with Javascript turned off, you don't have to sign in at all.
That is what they get for their restrictive 19xx "Register to read" BS.
Seriously. What is that supposed to do? To force people to register?
Someone wrote 4 lines of CSS & JS and was able to haxxor NYTimes paywall. A guru hacker is not necessary.
sysadmins and parents of newborns get the same amount of sleep.
It could also be that some con-artist somewhere is sending out phishing emails, designed to look like Times cancellation notices, and sent to large numbers of harvested email addresses. Since the set of NYT subscribers with an email address is a proper subset of the set of people with an email address, a lot of NYT subscribers would still be hit.
But "New York Times Hacked" makes for a better headline.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Indeed, this will probably force the NYT to shed light on who they share their subscribers' contact information with.
I was happy I was unsubscribed, as I have never signed up for anything New York times related ever. So that information that I was unsubscribed had me thanking God.
Sadly, it now appears to be a hoax. I am now crushed in despair.
Available here: https://gist.github.com/1529336
Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121]) by mx.google.com with ESMTP id v2si13633651ane.208.2011.12.28.10.17.18; Wed, 28 Dec 2011 10:17:18 -0800 (PST)
Interesting areas:
DKIM-Signature: v=1; a=rsa-sha1; d=email.newyorktimes.com; s=ei; c=simple/simple; DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
From anecdotal evidence it seems like the e-mails are going out to those who have registered it at some point with the New York Times. This would be not only those with paper subscriptions, but those with an account on the site--something that used to be free an thus tons of people would have registered. That explains those that are saying they weren't a subscriber but got the message.
Similar to the original post, I too got the message to an account that is kept very private. It seems extremely unlikely that this was a case of random SPAM. The New York Times needs to come clean. They say that "they" didn't send the message... but many on Twitter have pointed out the e-mails originated from a 3rd party company that the Times has previously used for sending out legit messages. It seems likely that either they, or the 3rd party, has a rogue employee or has suffered a data breach. Either way it's customer data they they have a responsibility for keeping secure.
Suddenly the IT dept of a newspaper has become news itself... oops.
Wow, this is really gonna screw with their business model. This was the first year the NYT was trying to push a lot of longtime loyal readers into paid subscriptions (last year got covered by a grant from GM, I think). Now I'm really, really reluctant to give them credit card info. Way to epic fail there, guys.
I received a similar message. For the past year, I've had a subsidized, free subscription to the website, and I've been notified that my access will be cut off (or greatly curtailed) if I don't upgrade to a regular digital subscription. I had thought that the subscription department was proposing a new offer-- half price for 16 weeks, rather than 99 cents for the first 8 weeks, then a regular rate afterwards.
Wonder if the names and cc#s of subscribers will get pastebin'd. Did NYT cover Anonymous' stratfor attack unfavorably or something?
I got one today as well. Thought it was strange since I have an account on the web site, but I'm not actually a subscriber. Good to know that it's a mistake and that I'm not using that account for anything important. Hope they weren't hacked though.
[neckbeard mode]
The term is "cracked" not "hacked". When will those stupid lusers ever learn the difference?
[neckbeard mode]
So I got the email in my Gmail account, which is how I've signed up for home delivery of the NYT. I'll foolishly admit that I was fooled, and called the number in the email and got the recorded message saying that the line was busy (maybe that was the whole point, now they've got my number too).
Anyway, I didn't want to lose the delivery, so I marked the email as unread so that I could address it later and logged out of Gmail.
After about 20/30 minutes when this story broke on /. and other sties, I figured I'd log back into Gmail, check my email (what you don't compulsively check email?) and delete this spam. I couldn't find it in my inbox! I checked the trash thinking I may have deleted it, but it wasn't there. Then I thought to check the SPAM folder, and sure enough it was in there, still marked as unread.
Gmail updated the spam policy to classify this specific email as spam in about 20 minutes, where as it had made it into my inbox before.
Upon reflection, it's not surprising, I'm sure a lot of users marked it as SPAM in the last 20 minutes, but still was interesting for me to note. Gmail's spam filter is usually pretty good, I NEVER even look in the spam folder (even for false positives) so this was an interesting experience. I wonder if I'd left it marked as "read" and not remarked it as "unread" if it would still have been moved out from my inbox to the spam list?
-"Those who fought today will die tommorow."-
Me too. Just thought it was spam...
Sounds like someone forgot the WHERE clause when sending out the email.
People still use fax machines? I thought these days people scan documents and then email them.
According the the linked article, an update from NYT indicates that they sent the email. It was supposed to go to 300 people, instead, it went to all 8M people with NYT accounts.
make imaginary.friends COUNT=100 VISIBLE=false
Woosh.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
I was happy I was unsubscribed, as I have never signed up for anything New York times related ever. So that information that I was unsubscribed had me thanking God.
Sadly, it now appears to be a hoax. I am now crushed in despair.
Thanking God for what?
They New York TImes now admits that there earlier assertions that the e-mail was "SPAM" and "not from us" were in fact false. The e-mail was from them. They say they weren't hacked but that it was sent by an employee to 8 million people who had, at one point or another, registered they're e-mail address with the Times.
Evolution of this story:
1. It wasn't from us...
2. Really it's SPAM, just delete it...
3. Seriously, it wasn't us, it's SPAM, there's nothing to see here people, move along now...
4. Techno Nerds: The headers check out... that e-mail really did come from them or it was an extraordinarily well done fake!
5. All other media outlets: New York Times has been hacked... stay tuned for more details
6. New York Times: We're investigating
7. New York Times: OK... so we told a fib. It really was us. Ooops. Sorry. We weren't hacked... (we're telling the truth this time, we promise)
There's likely a few folks in the New York Times IT department looking for jobs this evening...
What MIM attack do you refer to? The email gives a phone number to contact, not an email or web page. Unless they have found a way to proxy telephone calls, I don't think it's a MIM.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I had been a registered user long ago, stopped going there ever since they put up a paywall. I got a spam from them today. I thought it was odd. Anyway, they have been keeping all email addresses, have not deleted any. So subscribers, beware, they probably save the URL of every article you read.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Same here.
I just got this:
Dear New York Times Reader,
You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."
This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
Sincerely,
The New York Times
UPDATE:The Times mistakenly sent e-mails today to subscribers and others, erroneously stating that home delivery of the newspaper had been canceled. We apologize for the inconvenience.
It looks like someone at the Times made a mistake.
I just received this from NYTimes:
"Dear New York Times Reader,
You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."
This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
Sincerely,
The New York Times"
According to Ars Technica ... (As we note in the update up top, in this case there was no hack of Epsilon. The Times now says the e-mail was mistakenly sent by a Times employee, not an employee of Epsilon.)
UPDATE: Just after we posted the story below, New York Times reporters confirmed that the e-mail was from the paper, and that it was mistakenly sent to more than 8 million people instead of only 300 as intended. Previously, the Times said the message was spam and denied sending it.
http://arstechnica.com/business/news/2011/12/spammers-take-control-of-new-york-times-e-mail-list.ars
Nothing of value lost. He's dissing the NY times as no big loss if you don't get it anymore.
It's probably something schemed up by some agents in support of this draconian bill they are trying to pass.
Take the Red Pill.
Dear New York Times Reader,
You may have received an e-mail today from The New York Times with the subject line “Important information regarding your subscription."
This e-mail was sent by us in error. Please disregard the message. We apologize for any confusion this may have caused.
Sincerely,
The New York Times
My guess is that it's not a DDOS, it's a fuckup.
Looks like you get the gold star. Good call. :)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Mee too!!!111
Hey, I got an email about my credit card being disabled and I don't even have a credit card.
Don't fight for your country, if your country does not fight for you.
It's not unusual for this sort of thing to happen, unfortunately. Within the past year I've received at least two spammy emails from different companies which were followed in short time by a second email apologizing for the error. People make mistakes, and always have - so, when it involves electronic communication, I wonder why we're so prone to immediately blaming a hacker for it when a simpler explanation is readily available?
If someone were to hack the New York Times, I wouldn't think sending out cancellation notices would be high on their "to do" list - whether they were a kiddie hacker or of a more serious bent.
#DeleteChrome
There are plenty of corrupt call centers in the world. They'll answer the phone and collect data based on the check clearing and not whether they've been hired by the legit management of the brand they answer the phone as. Some call centers are stupid enough to think they're doing the right thing when really they're supplying credit card numbers to the wrong people.
We take NY Times articles about tech seriously around here. The dead tree edition may be falling apart and their info-wall turned pay-wall strategy might not be liked, but Slashdot would be worse off if the NY Times was to fail completely.
Interesting.
I am thinking it's a known left leaning publication and the Right wants SOPA jammed through because they want a foot in the door, to lay down foundations for more intrusive measures into the Internet. Frankly it's a thorn in their sides, they could have swept OWS under the rug if it wasn't for the Internet. I figure it's another cheesy black ops project ran by some out of control spooks either from an alphabet agency or worse, some corporate cowboys that are completely off radar.
If they can disturb enough sheeple on the Left, attacking their precious NYT, they might cave on SOPA, being it's to protect us from those evil hackers. For the children...and other BS, you know. I wonder if it's the same operatives who orchestrated the scandal on the IMF chief a while back in NY? The question remains, did the IMF ever gain access to Ft Knox to check out the rumor it's empty of gold? Or did that blatant scandal scare them off from coming to American soil, after we proved we would defecate all over diplomatic protocols to protect this big fat rumor. Face it, we gave the world a thinly veiled F YOU, with that whole ordeal.
Not to mention NYPD was busted working with Government black ops and nothing became of it. Shoved under the rug like everything else. Expect more "Left" targets until enough hysteria is generated and they can jam SOPA or something worse through.
Take the Red Pill.
apparently hacked by @destructiveSec as per their tweet https://twitter.com/#!/DestructiveSec/status/152165387839086592
@DestructiveSec ;-)
Destructive Security
#OpFireSail - bit.ly/rBMsE0 - New York Times Hacked - We gained access "shortly" to there email server
4 minutes ago via Twitter for iPhone Favorite Undo Retweet Reply
This post was written before the thread below it proved my theories wrong.
One of my first jobs was as a route driver for the NYT. It was a crappy job, the pay sucked, and it wore on my car something fierce. And I left a relative at home every night and didn't realize they were going insane, quite literally, with worry about me out driving the streets.
However, the job taught me a LOT about how to organize a delivery route for efficiency, I got to drive all over literally the richest neighborhood in my city, and for a period of time, I was proud to say I worked for The New York Times, dammit! Back when THAT meant something! Sure, I was a tiny cog in a giant machine but it beat being a nobody working for a nothing company. The local paper guys used to HATE us. We were the glory boys of paper throwing.
I have never forgotten the experience.
So we here at RubberDogBone Central were happy to hear about a half-off deal that would get us the paper and probably keep some poor route driver out of his/her way to deliver it.
Oh well. Some poor route driver's relative will have to find another way to go insane.
Sig for hire.
Yep got it also it a clever attack phishing by hacking somebody else. Am impressed if I was a sub I might even have fallen for it.
New York Times; I thought they were on Linux? Hmmm
I was hoping they replaced the articles with million-monkey random gibberish... at least then there would be the chance of some accuracy slipping in!
/// Not a super-genius . . . yet. ///
I got a call from a girl telling me that we can not see each other anymore, and I did not even have a girlfriend.