A hacker operating under the alias “Lovely” has leaked 2.3 million subscriber records from Wired magazine and is threatening to release an additional 40 million records from its parent company, Condé Nast.
The exposed Wired data appeared on multiple cybercrime forums in recent days, prompting concerns about broader data security risks across Condé Nast’s portfolio, which includes publications such as Vogue, Vanity Fair, Glamour, and The New Yorker.
Details of the Wired Data Leak
Cybersecurity firm Hudson Rock analyzed the leaked files and confirmed their authenticity by cross-referencing with credentials previously compromised through info-stealer malware. The dataset includes:
- Names and display names
- Email addresses (present in all records)
- Dates of birth
- Physical addresses
- Phone numbers
- Genders
While email addresses are included for every subscriber, other personally identifiable information (PII) is limited to a smaller subset of records. The most recent entries are dated September 2025.
Likely Cause and Vulnerabilities
Hudson Rock suggests the hacker exploited insecure direct object reference (IDOR) flaws and broken access control issues, allowing unauthorized access and potential modification of subscriber data. The leak has already been added to the Have I Been Pwned breach notification service, enabling affected users to check whether their information has been compromised.
Threat of Further Exposure
Following the Wired leak, Lovely claimed to have obtained over 40 million additional records from Condé Nast. These records may include subscriber data from the company’s other publications. The hacker has reportedly threatened to release this information in the coming weeks, heightening concerns about widespread personal data exposure.
Industry Implications
Condé Nast has not yet commented publicly on the breach, but the incident underscores the risks faced by large media companies managing vast amounts of subscriber information. Experts warn that such large-scale leaks can fuel identity theft, phishing campaigns, and other cybercrimes.
