The New York Times Says It Was Not Hacked

By Fahmida Y. Rashid  |  Posted 2011-12-28

Internet users were startled Dec. 28 when they received an email from The New York Times regarding their home delivery service. Most of the recipients didn't even have a subscription with the venerable newspaper, let alone home delivery.

The email listed a toll-free number, which did not seem to be listed with The Times. The message had been sent to users encouraging them to reconsider cancelling their subscription and to sign up again at discounted rates.

Confused recipients flooded The Times with phone calls, and spurred Twitter speculations over whether the publication, or a third-party provider, had been hacked.

The whispers about a possible hack seemed almost confirmed when The Times posted on its official Twitter account, "If you received an e-mail today about canceling your NYT subscription, ignore it. It's not from us."

A quick response to deal with a developing situation, except it was wrong. The New York Times had not been hacked, and the email had actually been sent, albeit erroneously, by a Times staffer.

Amy Chozick, writing for The Times' Media Decoder blog, stopped the Twitter speculation when she dug deeper into the issue. "'The email was sent by the NYT,' a spokeswoman said," Chozick wrote on Twitter, about two hours after the initial Times post.

It turned out that a Times employee had intended to send out an email message to 300 people, and accidentally sent it to more than 8 million people, Chozick wrote. The 8.6 million recipients represented all the people who had ever given their email address to the newspaper for whatever reason in the past.

"We regret that the error was made, but no one's security has been compromised," a Times Company spokeswoman, Eileen Murphy, told Chozick.

The fact that people jumped so quickly to the conclusion that The Times, or a third-party marketing provider, had been hacked is a sign of how on edge they are by reports of data breaches. People are increasingly aware and alert for possible spam attacks, as well.

Giga OM's Colleen Taylor looked at the email's DomainKeys Identified Mail to figure out whether it had been digitally signed (it hadn't) and traced the mail server that sent the message to Epsilon Data Management, a division of Alliance Data systems that manages email marketing campaigns for a number of large organizations. Epsilon had been breached earlier this year, and it appeared that this spam may have been part of that breach, or another incident.

As a result of cyber-attacks targeting organizations in practically every industry, people are no longer surprised if hackers steal email addresses and send out spam. The reverse appears to be true, with people being surprised when it's not an attack but a simple mistake.

Rocket Fuel