A major data breach has hit Condé Nast, the media conglomerate behind WIRED, after hackers leaked a database containing over 2.3 million subscriber records.
The leak surfaced around Christmas Day 2025 on underground forums, with a threat actor known as “Lovely” claiming responsibility. The actor warned this is only the beginning, threatening to release up to 40 million additional records tied to other Condé Nast publications, including Vogue, The New Yorker, GQ, and Vanity Fair.
If verified, the breach would represent one of the largest media-industry data exposures in recent years.
What Data Was Exposed
According to samples shared on forums such as BreachForums and Breach Stars, the leaked dataset contains extensive personally identifiable information (PII) related to WIRED subscribers.
Leaked Data Breakdown
| Data Type | Count |
|---|---|
| Email addresses | 2,300,000 |
| Names | 285,936 |
| Home addresses | 102,479 |
| Phone numbers | 32,426 |
The records appear in JSON-formatted profiles, including:
- Unique user IDs
- Account creation dates (2011–2022)
- Recent activity timestamps up to September 8, 2025
- Subscription-related metadata
Screenshots from the leak show large file listings and subscriber profiles spanning multiple Condé Nast digital properties.
Data Verified as Legitimate
Cyber threat intelligence firm Hudson Rock analyzed the leaked data and confirmed its authenticity by cross-referencing it against known RedLine and Raccoon infostealer logs.
Their analysis revealed a high overlap with previously compromised credentials, indicating that many affected subscribers may already have been exposed through malware infections—significantly increasing the risk of follow-on attacks.
How the Breach Happened: IDOR and Broken Access Controls
Investigators believe attackers exploited Insecure Direct Object Reference (IDOR) vulnerabilities within Condé Nast’s centralized identity platform.
Key technical failures include:
- Unauthenticated access to account endpoints
- Ability to iterate through sequential user IDs
- Bulk scraping of profile data via API responses
- Modification of emails, passwords, and profiles without proper authorization
These broken access controls allowed attackers to mass-export user profiles without needing full account authentication—a classic but devastating web application security failure.
A Wider Threat: 40 Million Records at Risk
Hudson Rock warns that the exposed WIRED dataset may be a subset of a much larger breach affecting Condé Nast’s shared identity system, which spans dozens of media brands.
The threat actor claims access to up to 40 million records, potentially impacting subscribers across:
- WIRED
- Vogue
- The New Yorker
- GQ
- Vanity Fair
- Architectural Digest
Because many users reuse the same credentials across these platforms, the breach could have cascading effects.
Ignored Vulnerability Reports Sparked the Leak
In a troubling twist, “Lovely” claims they attempted responsible disclosure before leaking the data.
In November 2025, the actor—using the alias “Dissent Doe”—contacted DataBreaches.net, alleging they had identified six critical vulnerabilities in Condé Nast’s systems.
According to reports:
- Condé Nast was contacted multiple times
- WIRED reporters and security teams were allegedly notified
- No public acknowledgment or remediation followed
- Condé Nast lacked a published security.txt file
Frustrated by the silence, the attacker released the WIRED data as a so-called “Christmas Lump of Coal,” accusing the company of neglecting user security.
Impact on Subscribers
Affected users report alerts from breach monitoring services, including Have I Been Pwned, which has since added the incident to its database.
While no passwords or payment card data appeared in the initial dump, the exposed PII creates serious downstream risks:
- Targeted phishing and credential-stuffing attacks
- Account takeover attempts
- Doxxing and harassment
- Swatting and identity abuse
Condé Nast’s lack of immediate public communication has amplified concern among subscribers and security professionals alike.
What Affected Users Should Do Now
Security experts recommend immediate defensive action:
- Reset passwords on Condé Nast accounts
- Change passwords anywhere reused
- Enable multi-factor authentication where available
- Monitor accounts for phishing or impersonation attempts
- Be cautious of unsolicited emails referencing subscriptions
Organizations handling subscriber data should view this incident as a stark reminder of the importance of access control testing, API security audits, and responsible vulnerability disclosure programs.
Why This Breach Matters
Media companies hold vast troves of personal data—but are often overlooked as high-value targets.
This incident highlights how basic web security flaws, combined with ignored disclosure attempts, can escalate into massive privacy failures.
As digital subscriptions continue to grow, Condé Nast’s response—or lack thereof—may become a case study in how not to handle vulnerability reports and user trust.
Key Takeaways
- 2.3M WIRED subscriber records leaked
- Attackers exploited IDOR and broken access controls
- Data includes emails, addresses, and phone numbers
- Threat actor claims access to 40M additional records
- Silence from Condé Nast increased user risk
