Cyber Incident Victim: Wired Magazine
Date:
Sep 2025
Location:
United States of America
Summary
A hacker using the alias 'Lovely' leaked approximately 2.3 million subscriber records from a major magazine publisher, primarily containing email addresses with additional personal data like names, physical addresses, and phone numbers exposed for a subset of users. The breach, attributed to insecure direct object reference flaws and broken access controls, was confirmed through cross-verification with historical malware-compromised credentials. The attacker further claimed possession of over 40 million additional records from the publisher's parent company, threatening imminent release. The compromised data has been integrated into a public breach notification service, impacting multiple affiliated publications under the media conglomerate.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2025, a hacker using the alias ‘Lovely’ publicly leaked subscriber records from Wired magazine on multiple cybercrime forums. Cybersecurity firm Hudson Rock analyzed the breach and confirmed the exposure of 2.3 million Wired subscriber records, with the most recent compromised data dating to September 2025. The leaked dataset included names, email addresses, display names, dates of birth, physical addresses, phone numbers, and genders, though only email addresses appeared consistently across all records. Other personal information fields were present in a smaller subset of the exposed user profiles. Hudson Rock validated the authenticity of the data by matching it against subscriber credentials previously compromised by info-stealer malware infections. Based on the structure of the leaked files, investigators concluded the attacker likely exploited insecure direct object reference (IDOR) vulnerabilities and broken access control mechanisms within Wired's systems, enabling unauthorized data access and modification. The compromised Wired records were subsequently added to the Have I Been Pwned breach notification service to alert affected subscribers.
Following the Wired data leak, Lovely claimed possession of over 40 million additional records allegedly stolen from parent company Condé Nast, threatening to release them incrementally over subsequent weeks. Condé Nast’s media portfolio includes prominent publications such as Vogue, Vanity Fair, Glamour, and The New Yorker, suggesting the broader dataset could encompass subscriber information from multiple brands. No specific technical details regarding the methodology for accessing Condé Nast’s systems were disclosed, though the attacker’s prior exploitation of IDOR flaws indicates potential systemic security weaknesses across the organization’s digital assets. The incident exposed Wired subscribers to heightened risks of phishing, identity theft, and targeted social engineering attacks due to the combination of personal identifiers in the leaked data. Condé Nast had not publicly confirmed the validity of the 40-million-record claim or detailed containment measures by the article’s publication date on December 29, 2025.