26.12.2025
2 min
440
More than 2.3 million subscribers of WIRED are facing increased risks of phishing and cyberattacks following a large-scale data leak. The threat actor claims to possess an additional 40 million records allegedly linked to the publisher’s parent company, Condé Nast.
A threat actor operating under the alias lovely has publicly released a database containing personal information of 2.3 million WIRED users. The leaked data has already been indexed by Have I Been Pwned, with independent researchers confirming the authenticity of at least part of the dataset.
According to cybersecurity firm Hudson Rock, the breach appears to be linked to credentials harvested by infostealer malware. Researchers identified a high-confidence overlap between compromised user logs and the leaked database, allowing them to verify the incident without direct interaction with the affected organization.
The exposed records include email addresses, subscriber names, home addresses, and phone numbers. Analysts believe the attacker may have exploited Insecure Direct Object Reference (IDOR) vulnerabilities by iterating user identifiers through poorly protected endpoints.
Researchers also suspect that critical account management systems lacked proper password validation, potentially enabling unauthorized access or modification of user credentials within Condé Nast’s centralized identity infrastructure. The threat actor claims to have contacted the company while posing as a security researcher before initiating the public data leak.
Security experts warn that affected users face heightened risks of spear phishing, doxing, and even physical swatting attacks. The absence of an official response from Condé Nast raises further concerns about the scale and impact of the breach.
