editorially independent. We may make money when you click on links
to our partners.
Learn More
A data breach tied to WIRED has exposed more than 2.3 million subscriber records.
The incident became public on Dec. 25, 2025, when a threat actor group published a database it claimed was scraped directly from Condé Nast systems.
We “… identified legitimate subscriber credentials for wired.com within global infostealer infection logs,” said researchers.
What Data Was Exposed in the WIRED Breach
The leaked dataset includes approximately 2.3 million email addresses, nearly 286,000 subscriber names, more than 100,000 physical addresses, and over 32,000 phone numbers.
Records appear in JSON format and include user IDs, account creation dates ranging from 2011 to 2022, and activity timestamps as recent as Sept. 8, 2025.
Screenshots posted to BreachForums and Breach Stars suggest the data is shared across Condé Nast publications, including Vogue, Vanity Fair, GQ, and Architectural Digest.
Security researchers at Hudson Rock validated the authenticity of the WIRED data by correlating it with RedLine and Raccoon infostealer logs, identifying a high overlap with previously compromised credentials.
While no passwords or payment card data were included in the initial leak, the exposed personally identifiable information (PII) elevates the risk of phishing, account takeover, doxing, and social engineering attacks.
IDOR and Broken Access Controls Behind the Breach
According to researchers’ analysis, the breach stemmed from Insecure Direct Object References (IDOR) — a class of access control flaws that allow attackers to access backend objects simply by manipulating user-controlled identifiers such as account or profile IDs.
In this case, subscriber profiles were indexed by predictable, sequential identifiers, making them susceptible to enumeration.
By systematically iterating through these IDs, attackers were able to query the underlying application programming interfaces (APIs) and retrieve subscriber records at scale.
Because the backend failed to consistently enforce authorization checks, the system did not properly verify whether the requester was entitled to access each profile before returning the data.
The risk was compounded by broken access controls on account management endpoints.
Researchers report that certain endpoints responsible for handling profile updates lacked sufficient authentication and authorization safeguards.
As a result, unauthenticated users could not only view sensitive subscriber data but, in some cases, modify profile attributes such as email addresses and passwords.
Together, these weaknesses enabled attackers to perform bulk data exfiltration without completing a full authentication flow.
Hardening Identity Systems Against Abuse
The following measures outline actions security teams can take to harden account systems, limit blast radius, and detect abuse.
- Audit and enforce object-level authorization on all account and profile APIs to prevent IDOR-style access and unauthorized data exposure.
- Implement rate limiting, request throttling, and API gateway or WAF rules to detect and block large-scale enumeration and scraping activity.
- Replace sequential identifiers with non-guessable object IDs and segment shared identity systems to reduce attack surface and blast radius.
- Require multifactor authentication for logins and sensitive account actions such as email changes, password resets, and profile updates.
- Enhance monitoring and logging for identity services to identify abnormal access patterns.
Together, these measures help strengthen the resilience of identity and account systems against both targeted and large-scale abuse.
When Identity Scale Becomes a Security Risk
The incident reinforces a common risk in digital publishing and SaaS environments, where centralized identity architectures drive efficiency and scale but can also amplify the impact of access control weaknesses when they occur.
These failures often stem from inconsistent authorization enforcement rather than advanced attacker techniques.
As a result, many organizations are increasingly looking to zero-trust architectures to eliminate implicit trust and enforce authorization consistently across identity and access layers.
