That’s according to a report Tuesday (Dec. 30) by Ars Technica, itself a Condé Nast publication. It says that a hacker named Lovely claims to have breached a Condé Nast user database and released a list of more than 2.3 million user records.
The materials in question include things like names, email and street addresses and phone numbers, but no passwords. The hacker is also threatening to release another additional 40 million records for other Condé Nast publications that include Vogue, The New Yorker, and Vanity Fair and more.
Ars Technica says it was not affected as it runs its own tech stack. The hacker said that they had pushed Condé Nast to patch vulnerabilities to no avail.
“Condé Nast does not care about the security of their users’ data,” the hacker wrote. “It took us an entire month to convince them to fix the vulnerabilities on their websites. We will leak more of their users’ data (40+ million) over the next few weeks. Enjoy!”
The report also presents a counterargument from DataBreaches.Net, which says that Lovely misled the site into believing that the hacker was trying to help repair vulnerabilities, when in reality, it appears that the hacker is a “cybercriminal” seeking a payout.
“As for ‘Lovely,’ they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted,” wrote DataBreaches.Net.
The breach follows a series of similar incidents at high-profile companies, including one at South Korean eCommerce giant Coupang that affected millions of its customers. The company earlier this week said it would offer $1 billion in compensation to those individuals.
Last week, Goldman Sachs said some of its alternative investment fund clients’ data might have been exposed following a cybersecurity incident at one of the bank’s law firms.
And Petco revealed at the start of December that a setting on one of its software applications made customers’ personal info accessible online.
In other cybersecurity news, recent PYMNTS Intelligence research examines how social engineering has become a dominant threat vector for companies with annual revenues of $100 million to $1 billion.
Nearly every respondent surveyed by PYMNTS suffered at least one social engineering incident in the past year. Many attacks originate not within the firm but outside it via compromised third parties that seem legitimate.
“The result is a threat environment where even well-defended companies remain exposed because their partners may not be,” PYMNTS wrote.
