Earlier this month, a hacker named Lovely claimed to have hacked into a Condé Nast user database and released a list of more than 2.3 million user records from our sister publication WIRED. The released material contains demographic information (name, email, address, phone, etc.) but no passwords.
The hacker also says they will release an additional 40 million records for other Condé Nast properties, including our other sister publications Fashion, The New Yorker, Vanity fairand more. Of critical note for our readers: Ars Technica was not affected as we run on our own custom tech stack.
The hacker said they urged Condé Nast to patch vulnerabilities to no avail. “Condé Nast does not care about the security of their users' data,” the hacker wrote. “It took us a whole month to convince them to fix the vulnerabilities on their websites. We will be leaking even more user data (over 40 million) in the coming weeks. Have fun!”
It is unclear how altruistic the motive really was. DataBreaches.Net says Lovely tricked the site into believing the hacker was trying to patch vulnerabilities, when in reality it appears the hacker is a “cybercriminal” looking for a payout. “As for 'Lovely,' they played me. Condé Nast should never pay them a dime, and no one else should ever, because their word clearly cannot be trusted,” DataBreaches.Net wrote.
Condé Nast has not issued a statement and we have not been notified internally of the hack (which is not surprising, since Ars is not affected).
Hudson Rock's InfoStealers provides an excellent overview of what has come to light.
