databreaches.net
Posted on December 25, 2025 by Dissent

Over the years, DataBreaches has been contacted by many people with requests for help notifying entities of data leaks or breaches. Some of the people who contact this site are cybercriminals, hoping to put pressure on their victims. Others are researchers who are frustrated by their attempts at responsible disclosure.

When it’s a “blackhat” contacting this site, DataBreaches often responds by seeking more information from them, and may even contact their target to ask for confirmation or a statement about claims that are being made. Usually, DataBreaches does not report on the attack or claims at that time, so as not to add to the pressure the entity might be under to pay some extortion. Occasionally, though, depending on the circumstances and the length of time since the alleged breach, this site may report on an attack that an entity has not yet disclosed, especially if personal information is already being leaked.

Some people have questioned whether I have been too friendly with cybercriminals or a mouthpiece for them. Occasionally, I have even been accused of aiding criminals. I’ve certainly knowingly aided some criminals who have contacted me over the years if they are trying to do the right thing or turn their lives around. And I’ve also helped some cybercriminals in ways I cannot reveal here because it involves off-the-record situations. One person recently referred to me as the “threat actor whisperer.”

The reality is that I talk to most cybercriminals as people and chatting with them gives me greater insights into their motivations and thinking. And, of course, it occasionally gives me tips and exclusives relevant to my reporting.

Do some threat actors lie to me? Undoubtedly. I resent being “played” and I get mad at myself if I have been duped.

The remainder of this post is about a data leak on a few forums involving data from WIRED and Condé Nast and how DataBreaches was “played.”

A Message on Signal
On November 22, a message request appeared on Signal from someone called “Lovely.” The avatar was a cute kitten, and the only message was “Hello.”

DataBreaches’ first thought was that this was a likely scammer, but curiosity prevailed, so I accepted the request. What they wrote next surprised me:

Can you try to get me a security contact at Condé Nast? I emailed them about a serious vulnerability on one of their websites a few days ago but I haven’t received a response ye

“Lovely,” who assured me they were not seeking a bug bounty or any payment, said they were simply trying to inform Condé Nast of a vulnerability that could expose account profiles and enable an attacker to change accounts’ passwords. On inquiry, they claimed they had only downloaded a few profiles as proof of the vulnerability.

“Lovely” showed me screenshots of attempts to inform WIRED and Condé Nast via direct contact with one of their security reporters and someone who claimed to be from their security team.

They also showed me my own registration data from WIRED.com, which was accurate, and the information from a WIRED reporter who also seemingly confirmed his data was also correct.

WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
It all seemed consistent with what they had claimed.

Despite its vast wealth, Condé Nast lacks a security.txt file that explains how to report a vulnerability to them. Nowhere on its site did it plainly explain how to report a vulnerability to them.

Trying to help Condé Nast avoid compromise of what was described to me as a serious vulnerability risking more than 33 million users’ accounts, I reached out to people I know at WIRED. I also reached out to Condé Nast but received no replies from them.

When the “Researcher” Really Is Dishonorable
Weeks of failed attempts to get a response from Condé Nast followed and Lovely started stating that they were getting angry and thinking about leaking a database just to get the firm’s attention. Leaking a database? They had assured me they had only downloaded a few profiles as proof. But now they stated they had downloaded more than 33 million accounts. They wrote:

We downloaded all 33 million user’s information. The data includes email address, name, phone number, physical address, gender, usernames, and more.

The vulnerabilities allow us to
– view the account information of every Condé Nast account
– change any account’s email address and password

They also provided DataBreaches with a list of the json files showing the number of user accounts for each publication. Not all publications had all of the types of information.

DataBreaches reached out to Condé Nast again with that information, but again received no reply. A contact at WIRED was able to get the firm’s security team to engage and Lovely eventually told DataBreaches that they had made contact and given the security team information on six vulnerabilities they had found.

Six? How many lies had Lovely told me? Lovely asked me to hold off on reporting until the firm had time to remediate all the vulnerabilities. DataBreaches agreed, for the firm’s sake, but by now, had no doubts that Lovely had been dishonest and she had been “played.”

Eventually, Lovely sent a message that everything had now been remediated. DataBreaches asked, “Did they pay you anything?” And that’s when Lovely answered, “Not yet.” DataBreaches subsequently discovered that they have been leaking data from WIRED on at least two forums, with a list of all the json files they intend to leak. Or perhaps they intend to sell some of the data. Either way, they lied to this blogger to get her help in reaching Condé Nast.

“Regrets, I’ve Had a Few”
At one point when I reached out on LinkedIn seeking a contact at Condé Nast, someone suggested that Lovely wasn’t a researcher but was a cybercriminal and that I was aiding them.

With the clarity of hindsight, he was right in one respect, although I certainly had no indication of that at the outset or even weeks later. But as I replied to him at the time, “I hope I wasn’t helping a cybercriminal, but if Condé Nast found out about a vulnerability that allowed access to 33M accounts, did I harm Condé Nast by reaching out to them, or did I help them?”

I don’t know if Condé Nast verified Lovely’s claims or not about the alleged vulnerabilities. That said, based on what I had been told, I don’t regret my repeated attempts to get their security team to contact Lovely to get information about the alleged vulnerability.

As for “Lovely,” they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted.

Update of December 27, 2025: By now, the data leak has started to be picked up on LinkedIn by Alon Gal and on Have I Been Pwned by Troy Hunt. Condé Nast has yet to issue any public statement or respond to this site’s inquiries. As HIBP reports:

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number, date of birth, gender, and geographic location or full physical address. The WIRED data allegedly represents a subset of Condé Nast brands the hacker also claims to have obtained.