“`html
Cybercriminals have disclosed a database comprising over 2.3 million WIRED subscriber records, signaling a significant violation at Condé Nast, the parent organization.
The malicious entity “Lovely” asserts this is merely the beginning, vowing to unveil up to 40 million additional records from entities such as Vogue and The New Yorker.
The data breach, released on hacking platforms like Breach Stars and BreachForums around December 25, 2025, encompasses 2.3 million email addresses, 285,936 names, 102,479 home addresses, and 32,426 phone numbers.
The records contain JSON-formatted profiles with attributes like user IDs, creation dates from 2011 to 2022, and recent actions up to September 8, 2025. Images from the leak reveal substantial file inventories and redacted subscriber information across Condé Nast websites.
Hudson Rock analysts authenticated the validity of the WIRED data by cross-verifying with RedLine and Raccoon infostealer logs, confirming significant overlaps in compromised credentials.
The company cautions about a forthcoming 40-million-line breach aimed at Condé Nast’s shared identity system, which includes publications such as Vanity Fair, GQ, and Architectural Digest. Although no passwords or payment details surfaced in the initial leak, exposure of personally identifiable information increases threats for phishing, doxing, and swatting.
Hackers exploited Insecure Direct Object References (IDOR) to harvest profiles by cycling through user IDs, leading to extensive JSON exports.
Defective access controls on account endpoints permitted unauthorized access to and alteration of emails, passwords, and profiles. These vulnerabilities in the centralized platform facilitated bulk data extraction without complete authentication.
| Data Type | Count |
|---|---|
| Emails | 2,300,000 |
| Names | 285,936 |
| Addresses | 102,479 |
| Phone Numbers | 32,426 |
In November 2025, “Lovely” masqueraded as a researcher, “Dissent Doe,” and reached out to DataBreaches.net to alert Condé Nast about six vulnerabilities.
Despite multiple attempts to communicate, including through WIRED reporters and security teams, Condé Nast provided no public commentary or security.txt file. Feeling disheartened, Lovely released the WIRED data as a “Christmas Lump of Coal,” accusing the organization of neglecting users.
Impacted subscribers report activity on dark web surveillance tools like Have I Been Pwned, which included the breach. Condé Nast’s lack of communication heightens dangers, as shared logins could lead to cross-entity risks. Experts advocate for password changes and continuous monitoring, emphasizing the necessity for enhanced vulnerability reporting in major media corporations.
“`