Massive Condé Nast Data Threat: 2.3M WIRED Records Leaked, 40M More at Risk

What happened

A threat actor using the alias “Lovely” has published a dataset of 2.3 million purported WIRED subscriber records on cybercrime forums and claims to have obtained a much larger trove, potentially up to 40 million records tied to Condé Nast’s portfolio of brands. The leaked WIRED data includes email addresses and, for a smaller subset, names, dates of birth, physical addresses, phone numbers and gender. Security analysis by Hudson Rock and validation via Have I Been Pwned indicate the WIRED portion is legitimate. The actor also claims exploitation of insecure direct object references and broken access controls to access the data. Condé Nast has not issued a public statement about the incident.

Who is affected

• Subscribers of WIRED magazine whose personal information appears in the initial leak.
• Potentially millions of users across Condé Nast’s brands, including major publications such as Vogue, The New Yorker, Glamour and Vanity Fair, if the actor’s claims of 40 million affected records prove accurate. 
• Individuals whose data includes contact details, demographic fields and metadata linked to their accounts.

Why CISOs should care

This incident highlights persistent risks in web application access controls that can lead to mass data exposure, particularly when data is aggregated across a broad set of digital properties. Whether the breach originated via IDOR or broken access control logic, it underscores the importance of continuous validation and hardening of identity and API endpoints. The situation also illustrates how a failure in vulnerability response can escalate into large-scale data loss and public exposure, a cautionary tale for organizations managing high-value consumer data.

3 practical actions

1. Review and tighten access controls: Conduct an immediate audit of APIs and endpoints for insecure object references and enforce strict authorization checks to prevent unauthorized data access.
2. Monitor breach indicators: Integrate datasets like this incident into services such as Have I Been Pwned and internal threat intel feeds to rapidly identify compromised accounts and notify impacted users.
3. Strengthen vulnerability response: Ensure clear, documented channels for vulnerability reporting and efficient remediation workflows with executive visibility to avoid exploitation after disclosures.