New York Times Hacked?

First time accepted submitter porsche911 writes "It looks like the NYTimes have been hacked and a large number of subscribers spammed with messages about cancellation of their service. The phone system is overwhelmed as well. The Times is currently saying the email is a fake, but that raises other worries. They were one of the only 3rd parties that had the email in question so it appears either someone really screwed up or they've suffered a data breach." Update: 12/28 21:59 GMT by S : Looks like it was just a mistake by an employee.

Well, they tried hacking the The New Yorker first

[elrous0]

But then they found out that New Yorker readers were far too smug to lower themselves to reading email.

Re:Well, they tried hacking the The New Yorker fir

[sleeepy2]

I got the email about my canceled subscription and I have never subscribed to the Times. Weird.

Seems the New York Times keeps a spam list

[KnightMB]

I've never subscribed to the New York times, yet my personal e-mail address got the same spam? Does this mean more than just a subscriber list was used or do they have a more extensive list that they have bought/captured over the years that's the equivalent of a giant spam list?

NY Times Response

[NotSanguine]

Is this

Re:NY Times Response

[Skapare]

They also need to get their DNS updated to also include a genuine SPF record and not rely entirely on the TXT record.

Print Subscribers Only

[LostCluster]

This appears to be a phishing attack aimed at getting NY Times readers to re-up their subscription with a phony contact given. Looks like their e-mail list got leaked.

Re:Print Subscribers Only

[dzfoo]

Then how would you explain that I received the message on an e-mail address that I made specifically to use the NYT app and never have used for anything else?

That automatically rules out a third party. It was either sent in error, or their user accounts list was indeed compromised.

A possible third alternative is that they shared their accounts list with a partner that was then compromised. Either way it seems the list was compromised.

Used the unique address I gave to the NY Times

[jerryasher]

I got the email too, and it used the unique email address I gave to the NY Times, so either they were breached or some company they gave my data to was breached.

Joe Katz on twitter says the same thing:

"Joe Katz @joekatz 1h
@NYTPRGUY thing is, I got a "subscription cancelled" message sent to an email alias that only @NYTimes has for me. Was your list hacked?"

So remember folks when you outsource your IT and marketing and provide them your customer data, you are opening your customers up to their low security practices.

Re:Well, they tried hacking the The New Yorker fir

[Mashiki]

Too true, and too funny. You forgot to mention that this is also a method to retain customers after their dismal and continual failure to retain a readership base.

I can confirm the email being sent out.

[milbournosphere]

I got the supposed cancellation email this morning, for a subscription I haven't had in almost three years. I was going to call, but I guess I'll just ignore it for now. Text of the email I received is below.

Dear Home Delivery Subscriber, Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps. We do hope you’ll reconsider. As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.* Continue your subscription and you’ll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You’ll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad® apps, plus you can now share your unlimited access with a family member. To continue your subscription call 1-877-698-0025 and mention code [] (Monday–Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

Doesn't look like they're trolling for information, but I have not tried the number.

DNS Hack?

[Midnight_Falcon]

At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200). However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously. Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging. So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.

Not surprising

[cultiv8]

Someone wrote 4 lines of CSS & JS and was able to haxxor NYTimes paywall. A guru hacker is not necessary.

Could be untargeted phishing

[DragonHawk]

It could also be that some con-artist somewhere is sending out phishing emails, designed to look like Times cancellation notices, and sent to large numbers of harvested email addresses. Since the set of NYT subscribers with an email address is a proper subset of the set of people with an email address, a lot of NYT subscribers would still be hit.

But "New York Times Hacked" makes for a better headline.

Re:Could be untargeted phishing

[postbigbang]

The bounce in the header of the message implies that it was triggered internally. It wouldn't have been used to launder the list, because the bounces would have gone back to NYT.

My guess is that it's not a DDOS, it's a fuckup.

Re:Well, they tried hacking the The New Yorker fir

I was happy I was unsubscribed, as I have never signed up for anything New York times related ever. So that information that I was unsubscribed had me thanking God.

Sadly, it now appears to be a hoax. I am now crushed in despair.

Gmail's SPAM filter updates/adapts fast!

[Faizdog]

So I got the email in my Gmail account, which is how I've signed up for home delivery of the NYT. I'll foolishly admit that I was fooled, and called the number in the email and got the recorded message saying that the line was busy (maybe that was the whole point, now they've got my number too).

Anyway, I didn't want to lose the delivery, so I marked the email as unread so that I could address it later and logged out of Gmail.

After about 20/30 minutes when this story broke on /. and other sties, I figured I'd log back into Gmail, check my email (what you don't compulsively check email?) and delete this spam. I couldn't find it in my inbox! I checked the trash thinking I may have deleted it, but it wasn't there. Then I thought to check the SPAM folder, and sure enough it was in there, still marked as unread.

Gmail updated the spam policy to classify this specific email as spam in about 20 minutes, where as it had made it into my inbox before.

Upon reflection, it's not surprising, I'm sure a lot of users marked it as SPAM in the last 20 minutes, but still was interesting for me to note. Gmail's spam filter is usually pretty good, I NEVER even look in the spam folder (even for false positives) so this was an interesting experience. I wonder if I'd left it marked as "read" and not remarked it as "unread" if it would still have been moved out from my inbox to the spam list?

NYT admits they screwed up

[gstrickler]

According the the linked article, an update from NYT indicates that they sent the email. It was supposed to go to 300 people, instead, it went to all 8M people with NYT accounts.