What Happened
In December 2025, a hacker using the alias “Lovely” leaked 2.3 million records of Wired.com users after exploiting insecure direct object reference (IDOR) flaws and broken access controls in Condé Nast’s centralized account management system. The data, posted on the Breach Stars hacking forum on December 20, 2025, included email addresses, usernames, full names, and for some users, phone numbers, addresses, and dates of birth, but no passwords or payment information. The hacker claimed that Condé Nast ignored multiple security vulnerability reports over the course of a month and threatened to release an additional 40 million records from other Condé Nast publications including Vogue, The New Yorker, and GQ. Security researchers from Hudson Rock authenticated the breach by matching the leaked records against infostealer logs, confirming the data’s legitimacy with entries as recent as September 2025. As of late December 2025, Condé Nast had not publicly confirmed the breach or disclosed details about remediation efforts.
