2.3M WIRED Subscribers Exposed in Condé Nast Leak

What Happened

In late December 2025, a database with 2.3+ million records tied to WIRED subscribers surfaced on underground forums. A threat actor called Lovely posted it on Breach Stars on Dec 20, claiming they exploited weaknesses in Condé Nast’s account systems, then reposted it elsewhere. Researchers said the files appear to come from an internal API, not scraping.

The leak reportedly includes email addresses for all subscribers, plus additional personal details for some users. No passwords or payment data were found, but the exposure still increases phishing and identity fraud risk.

The actor also threatened to release 40 million records tied to other Condé Nast titles, claiming prior vulnerability reports were ignored. Condé Nast and WIRED had not publicly confirmed the incident at the time, and the data was added to Have I Been Pwned. Experts advised users to watch for suspicious emails and change any reused passwords.

Timeline: From First Access to Latest Update

• Late November 2025 – According to correspondence published by DataBreaches.net, a person using the alias Lovely contacted the site on 22 November. They claimed to have found serious flaws in Condé Nast’s account system and asked for help reaching the company’s security team. Lovely said they had downloaded a limited number of subscriber profiles as proof.
• Early December 2025 – After repeated attempts to notify Condé Nast went unanswered, Lovely informed DataBreaches that they had extracted tens of millions of accounts through the same flaws. They began threatening to leak the data publicly.
• 20 December 2025 – Lovely published a post on the newly launched Breach Stars forum titled “2.3M wired.com Database”. The listing, priced at about $2.30 in forum credits, linked to a compressed archive of 2.366 million records. The hacker criticised Condé Nast for failing to respond to vulnerability reports and warned that additional dumps from other brands would follow.
• 23 December 2025 – Dark‑web monitoring tools and community users began flagging the leaked records. Some subscribers reported receiving notifications from breach tracking services. Condé Nast and WIRED remained silent.
• 25 December 2025 – The leak gained wider attention after security outlets reported on it. eSecurity Planet described the breach and confirmed that Hudson Rock researchers used RedLine and Raccoon infostealer logs to validate the authenticity of the WIRED data.
• 26 December 2025 – A Breach Stars moderator posting under the nickname Tanaka shared the same dataset again, making it freely accessible. Analysis of the file showed that the most recent entries were from 8 September 2025 and that many profiles were created between 2011 and 2022.
• 27 December 2025 – Have I Been Pwned added the WIRED breach to its database. More news sites, including CyberInsider, SecurityWeek and BleepingComputer, published analyses detailing the scope of the exposed data and the potential impact. None of the reports included a statement from Condé Nast.
• 28 – 29 December 2025 – Security Affairs noted that Lovely had threatened to release records for more than 40 million users of other Condé Nast publications if the company did not address the vulnerabilities. SOCRadar and Techzine warned that weaknesses in a central identity platform could expose users across multiple brands. Condé Nast continued to decline comment.
• Late December 2025 – January 2026 – Additional coverage highlighted the risk of a larger data dump and the absence of any official disclosure. As of early January 2026 there has been no public notification to affected subscribers or evidence of law‑enforcement involvement.

What Data or Systems Were Affected

The leaked database appears to have been pulled from Condé Nast’s centralized account system. It contains 2.366 million rows representing roughly 2.3 million unique email addresses. The dataset includes:

• Email addresses – present in every record and the only field filled for many subscribers.
• Full names – about 285 thousand entries list a first and last name.
• Physical addresses – over 102 thousand records include a home address.
• Phone numbers – roughly 32 thousand subscribers have a phone number in their profile.
• Demographic details – smaller subsets contain gender or date of birth; one analysis counted 67 thousand birthdays and 1,529 full profiles with name, address, phone number and gender.
• Account metadata – each record includes a unique internal ID, creation and update timestamps and, in some cases, last session dates or display names. Many creation dates fall between 2011 and 2022, while the newest activity is from September 2025.

Researchers noted that the records were structured in JSON format, suggesting direct API queries rather than scraping of web pages. The system appears to be shared across Condé Nast brands such as Vogue, Vanity Fair, GQ and Architectural Digest, raising concerns that users of other publications could be affected if more data is leaked.

Crucially, the database does not contain passwords or payment-card details. However, the presence of names, addresses and phone numbers can fuel phishing, doxing and other social-engineering attacks.

Who Was Responsible

Confirmed: No law‑enforcement agency has publicly identified a suspect or charged anyone in connection with the breach. There is also no confirmation from Condé Nast as to the identity of the intruder.

Alleged: The individual who posted the data uses the online aliases Lovely and Tanaka. Lovely initially presented themselves to journalists as a security researcher seeking responsible disclosure. Correspondence published by DataBreaches shows Lovely contacting the site on 22 November and sharing sample data to demonstrate the vulnerability.

After failing to obtain a response from Condé Nast, Lovely admitted they had downloaded millions of accounts and subsequently released the WIRED dataset. Lovely also claimed to have stolen data for more than 40 million users across Condé Nast brands and threatened further leaks.

How the Attack Worked

Security researchers attribute the breach to Insecure Direct Object Reference (IDOR) flaws and broken access controls in Condé Nast’s account management system. Subscriber profiles were indexed with predictable, sequential identifiers, and the backend failed to consistently verify whether a requester was authorized to access each profile.

By enumerating these IDs and making API requests, an attacker could retrieve large numbers of subscriber records without logging in or satisfying authorization checks. Some endpoints not only exposed profile data but also allowed unauthenticated users to modify account attributes such as email addresses and passwords.

The dataset’s structured JSON format and inclusion of internal metadata suggest direct access to a backend service rather than scraping of published articles. No malware or phishing of subscribers was needed; the weaknesses were server side.

Company Response and Customer Remediation

As of early January 2026, neither Condé Nast nor WIRED had issued a public statement acknowledging the breach. There has been no confirmed notification to affected subscribers, no offered credit monitoring and no published timeline for remediation.

The company has not responded to repeated inquiries from security journalists and researchers. The absence of communication leaves subscribers relying on third‑party services such as Have I Been Pwned for awareness and on their own vigilance for protection.

Researchers and consumer advocates advise WIRED readers and users of other Condé Nast publications to:

• Watch for phishing emails or phone calls referencing Condé Nast brands. Attackers may use exposed email addresses and names to craft convincing messages.
• Change passwords on accounts that share the same email address, especially if those credentials are reused across sites. Even though passwords were not leaked, attackers may attempt credential‑stuffing attacks using other breached combinations.
• Enable multi‑factor authentication on important accounts to reduce the risk of unauthorized access.
• Monitor credit reports and financial statements for unusual activity. While financial data was not part of this leak, aggregated personal information can be used in identity fraud.

Government, Law Enforcement and Regulator Actions

There have been no public announcements of investigations, fines or enforcement actions tied to this incident. Because Condé Nast is privately held, it is not subject to the U.S. Securities and Exchange Commission’s rapid-disclosure requirements for public companies.

However, state breach notification laws may still apply. To date there has been no evidence that any attorney general or data protection authority has taken action. Without a formal disclosure, regulators may be unaware of the scope of the incident, delaying any legal response.

Financial, Legal and Business Impact

Without confirmation from Condé Nast, the immediate financial impact is speculative. The release of 2.3 million email addresses and related personal details carries significant reputational risk for a publisher whose flagship titles cover technology and security. Analysts note that the threat of an additional 40 million records spanning The New Yorker, Vogue, Vanity Fair and other brands could dramatically amplify liability and erode trust among readers and advertisers.

Potential consequences include:

• Reputational damage: The leak undermines confidence in Condé Nast’s ability to protect user data, especially given the perception that the company failed to respond to vulnerability reports.
• Litigation risk: If the breach is confirmed, Condé Nast could face consumer lawsuits alleging negligence and seeking damages for privacy violations. Class actions often follow large data exposures once authentication is established, though no such suits have been filed yet.
• Regulatory fines: Depending on the jurisdictions in which affected subscribers reside, data protection authorities may impose penalties if the company is found to have inadequate security or delayed notification.
• Operational costs: Condé Nast would need to audit and fix its identity platform, implement stronger access controls, and possibly separate account systems for individual brands to prevent cross‑brand enumeration. It may also need to offer credit monitoring or other remedies, which could be costly.

What Remains Unclear

Several questions remain unanswered:

• Confirmation and scope: Condé Nast has not confirmed that the database came from its systems. Without an official statement, the exact scope of the breach and whether other titles were affected remain uncertain.
• Attack duration: It is unclear when the vulnerabilities were first exploited and how long the attacker had access to the account system. The dataset includes records dating back decades, but the most recent activity is from September 2025.
• Larger breach claims: Lovely claims to possess data for more than 40 million users across multiple Condé Nast publications. No evidence has surfaced to verify that number. Whether additional datasets will be released remains unknown.
• Identity of the attacker: Beyond the aliases Lovely and Tanaka, the real identity of the hacker has not been publicly revealed. It is also unknown whether this was a lone actor or a group.
• Regulatory response: It remains to be seen if state attorneys general or international data protection regulators will initiate investigations or enforcement actions once the breach is confirmed.

Why This Incident Matters

The WIRED subscriber leak is significant because it shows how simple authorization flaws in a large media company’s account system can expose millions of users across multiple brands. The breach demonstrates that centralizing identity management for convenience can create a single point of failure, magnifying the impact when vulnerabilities are present.

The actor’s claim of a 40 million‑record trove underscores the scale of potential exposure when corporate networks share account infrastructure.

Although passwords and financial data were not stolen, the combination of email addresses, names and contact details can fuel targeted phishing, credential‑stuffing and social‑engineering attacks. Readers who trust Condé Nast titles for technology and security news now face the irony of having their own personal information circulating on cybercrime forums.

This episode also highlights the importance of a clear vulnerability disclosure channel; had the company responded to early warnings, the damage might have been limited.

Read About More Breaches Here!

Sources

1. SecurityWeek — Hacker Claims Theft of 40 Million Condé Nast Records After Wired Data Leak (Dec. 29, 2025) (SecurityWeek) 
2. SOCRadar — WIRED Data Leak Exposes 2.3M Users Amid Broader Claims (Dec. 29, 2025) (SOCRadar® Cyber Intelligence Inc). 
3. Techzine Global — Dataset containing data from Wired circulating on hacker forums (Dec. 29, 2025) (Techzine Global)
4. Hackread — Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach (Dec. 27, 2025)( hackread.com) 
5. eSecurity Planet — 2.3M WIRED Subscriber Records Leaked in Condé Nast Data Breach (Dec. 29, 2025)( eSecurity Planet) 
6. Security Affairs — Condé Nast faces major data breach: 2.3M WIRED records leaked, 40M more at risk (Dec. 28, 2025)( Security Affairs )
7. BleepingComputer — Hacker claims to leak WIRED database with 2.3 million records (Dec. 28, 2025) (BleepingComputer) 
8. DataBreaches.net — Condé Nast gets hacked, and DataBreaches gets “played” — Christmas lump of coal edition (Dec. 25, 2025) (DataBreaches.Net) 
9. Have I Been Pwned — WIRED Data Breach (page reflects the breach entry added in Dec. 2025) (Have I Been Pwned)