-
A hacker known as “Lovely” leaked over 2.3 million WIRED subscriber records on Christmas Day 2025, with threats of 40 million more.
-
The breach took advantage of the loop holes in the fundamental security of Condé Nast’s shared identity infrastructure used on various publications.
-
The bad actors allege they concurrently sent warnings to Condé Nast regarding the loopholes for weeks but did not get any response.
In a historic data breach, the world’s leading media firms, Condé Nast, lost access to records of millions of subscribers. The worst part? They were warned repeatedly and did nothing.
On Christmas Day 2025, a hacker calling themselves “Lovely” posted a database containing 2.3 million WIRED subscriber records on hacking forums like Breach Stars and BreachForums.
This isn’t just a one-time dump. Lovely claims this is only the start, warning that attackers will release another 40 million records from Condé Nast brands like Vanity Fair, Vogue, GQ, and Architectural Digest.
Hijacked Subscriber Base Leaks Emails, Names, Home Address, and Phone Numbers
What was stolen from WIRED’s subscriber base is unimaginable: 2.3 million emails, 285,936 legal names, 102,479 residential addresses, as well as 32,426 contact numbers. This is a decade-old record, with user accounts created on dates from 2011 to 2022. The timestamps on the activities of these accounts extended to September 8, 2025.
Each record carried the “JSON format,” having sections like user IDs, subscription information, as well as profile details. Screenshots circulating from the leak show extensive file lists and redacted subscriber details across multiple Condé Nast websites.
While no passwords or payment information appeared in this initial release, the personal data exposed creates serious risks for phishing attacks, doxing, and even swatting.
Hudson Rock researchers verified the authenticity of the WIRED data. They cross-referenced it with RedLine and Raccoon infostealer logs, confirming significant overlap with already compromised credentials. According to their findings, a more challenging issue may surface as Condé Nast’s shared ID system faces a 40-million-record breach already within reach.
IDOR Gave Attackers Access Following Concurrent Warnings
According to a technical review, the attackers infiltrated the network due to basic security failures – Insecure Direct Object References, or IDOR. It’s likely they grasped user profiles via simple iteration using user ID numbers. It’s like trying every locker combination in sequence until you find ones that open.
Even worse, broken access controls on account endpoints allowed unauthenticated access. Anyone could view and modify emails, passwords, and user profiles without proper authentication. These fundamental flaws in Condé Nast’s centralized platform enabled bulk data theft without the attackers ever needing to fully authenticate as legitimate users.
In November 2025, Lovely initially posed as a security researcher going by “Dissent Doe.” They contacted DataBreaches.net, asking for help notifying Condé Nast about six specific vulnerabilities they’d discovered.
What followed was weeks of silence. Lovely reached out repeatedly through multiple channels. They tried WIRED reporters directly. They contacted security teams. Nothing worked. Condé Nast offered no public response. The company didn’t even have a security.txt file—a basic mechanism for receiving vulnerability reports.
Frustrated by the complete lack of acknowledgement, Lovely released the WIRED database as a “Christmas Lump of Coal.” In their announcement, they directly accused Condé Nast of ignoring users’ security and privacy.
This incident highlights a critical failure to act on critical warnings—a theme that extends beyond corporate security to law enforcement, as seen in cases where official alerts allegedly tipped off suspects, compromising investigations.
They gave cybercriminals a false sense of protection by refusing to take down flagged illegal websites,” applies here too—except Condé Nast ignored repeated warnings about its own security flaws.
Affected subscribers are already seeing the impact. Dark web monitoring services like Have I Been Pwned added the breach to their databases. Users report receiving alerts that their information appears in the dump. Condé Nast’s continued silence only amplifies the risks.
Since the firm works with shared login infrastructure on all of its brands, compromised details could stream throughout its whole publishing empire. Security veterans are admonishing all Condé Nast subscribers to change passwords instantly and keep an eye on their accounts.
