In November, a threat actor known as “Lovely” tried to report a serious security vulnerability at Condé Nast by posing as a researcher named Dissent Doe. The company largely ignored the warnings. By late December, 2.3 million WIRED Magazine subscriber records were circulating on hacking forums, and Condé Nast still had not publicly acknowledged the breach or notified affected users.
On December 20, 2025, Lovely posted the WIRED data dump on Breach Stars and BreachForums, alongside threats to release up to 40 million more records from Condé Nast’s wider portfolio of brands, including Vogue, The New Yorker, Vanity Fair, and GQ. The leaked data includes 2.3 million email addresses, nearly 286,000 names, over 102,000 home addresses, and 32,426 phone numbers, all dating back to account creation in 2011, with the most recent activity logged as recently as September 8, 2025. No passwords or payment card information were exposed, but the combination of PII makes for a potent targeting vector.
What makes this incident particularly notable is not just its scale but the path that led to it. In late November, Lovely had genuinely attempted to engage in responsible disclosure. They contacted DataBreaches.net, a well-known vulnerability tracking blog, claiming to have found six serious flaws in Condé Nast’s infrastructure. They asked only for help reaching the right people to report the vulnerabilities, no bounty, no extortion, just notification of security issues that could affect 33 million accounts.
Condé Nast largely ignored them. By Christmas Day, that threat became reality. Lovely called it a “Christmas Lump of Coal,” and the data hit hacking forums within days. Researchers at Hudson Rock validated the breach’s legitimacy by cross-referencing leaked wired[.]com records with stolen credentials already logged in Infostealer malware databases like RedLine and Raccoon.
The technical flaws that enabled the scrape involved broken access control. The attacker exploited an Insecure Direct Object Reference (IDOR), a vulnerability where a web application provides access to internal database objects based on user-supplied input without performing adequate authorization checks to ensure the requester has permission to access that specific resource. The centralized identity platform that ties together Condé Nast’s media empire, the shared login system used across WIRED, Vogue, The New Yorker, and other properties, lacked basic authentication gatekeeping. Anyone could theoretically enumerate users by ID and pull their data. An attacker could change credentials without verification.
The company has not yet issued any public statement confirming the breach, notifying affected users, or explaining what remediation steps are underway. WIRED itself has published countless breach postmortems and security analyses, and yet it appears to have mishandled its own user data with the kind of negligence it would typically critique in others. The risk profile from this breach extends beyond typical identity theft concerns. The cache of 102,000 home addresses combined with email addresses creates a doxing risk, particularly for public figures, journalists, and policy makers who subscribe to publications like The New Yorker and Vogue. Phishing campaigns using Condé Nast brand context to target individual subscribers become low-friction once an attacker knows verified email-to-address mappings.
The broader ecosystem risk is the threatened 40 million record release. If Lovely follows through on leaks affecting the entire Condé Nast user base, the cascading effects across interconnected accounts could be severe. Subscribers who use the same email and password across multiple Condé Nast properties could be subject to lateral compromise.
Researchers have validated the legitimacy of the exposed data through independent means, so this is not a hoax or inflated threat actor claim. Have I Been Pwned added the WIRED breach to its database, and early subscribers reported hits on dark web monitoring services as of December 23. The data is real, the exposure is confirmed, and the company’s continued public silence only compounds user uncertainty about what happened and what they should do.
For WIRED subscribers, the practical advice is straightforward: check Have I Been Pwned, reset your password, enable 2FA if available, and monitoraccounts for phishing attempts. Lovely may or may not release the threatened 40 million records. But Condé Nast’s silence has already done the damage. When a company in the business of information refuses to inform its own users that their data has been compromised, it forfeits the trust that underpins any relationship with readers.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
