TL;DR: A hacker calling themselves "Lovely" dumped 2.3 million WIRED subscriber records on a hacking forum, for the equivalent of $2.30. The database includes emails, names, physical addresses, phone numbers, and account activity spanning from 1996 to September 2025. Over 100,000 home addresses were exposed. The hacker claims they're sitting on 40 million more records from other Condé Nast properties like Vogue, The New Yorker, and Vanity Fair. Condé Nast hasn't said a word publicly.
The Dump
On December 20, 2025, a threat actor posted 2,366,576 WIRED subscriber records on a hacking forum called Breach Stars [1]. The price? About $2.30 in forum credits.
That's less than a cup of coffee for your subscriber data going back to 1996.
Security researchers at BleepingComputer verified the data by contacting twenty subscribers in the dump. They confirmed they were legitimate WIRED readers [2]. Hudson Rock researchers did their own validation using infostealer infection logs. The data checks out.
On December 27, Have I Been Pwned added the breach to their database [3]. If you want to know if you're in there, that's your first stop.
What Got Exposed
The database isn't complete for everyone, but here's what's in there [4]:
- 2.3 million+ email addresses (nearly every record)
- 286,000 subscriber names
- 102,479 physical home addresses (this is the scary one)
- 32,000+ phone numbers
- 67,000 birthdays
- Account creation and update timestamps
- Last session information
About 0.06% of records (roughly 1,400 accounts) have complete profiles with all demographic data. The rest have partial information.
The data spans from April 26, 1996 to September 9, 2025. Almost three decades of subscribers.
How They Got In
According to security researchers, Condé Nast made a basic mistake: their subscriber profiles used predictable, sequential IDs [5].
The vulnerability class is called IDOR, Insecure Direct Object Reference. It's been on the OWASP Top 10 for years. The fix isn't complicated.
Here's how it worked:
- Subscriber profiles were numbered sequentially (user ID 1, 2, 3...)
- The backend didn't check if you were authorized to view a profile
- The attacker just iterated through IDs and scraped everything
Even worse: some endpoints reportedly let unauthorized users modify profile data like email addresses and passwords [5]. Not just read access: write access.
This isn't sophisticated hacking. It's exploiting poor security practices that shouldn't exist at a major media company in 2025.
40 Million More Coming?
The WIRED dump might be just the beginning.
"Lovely" claims to have a much larger database: 40 million records across all Condé Nast properties [6]. That means potential exposure for subscribers to:
- Vogue
- The New Yorker
- Vanity Fair
- GQ
- Architectural Digest
- Bon Appétit
- And the rest of the Condé Nast portfolio
The hacker told DataBreaches.net they spent months trying to alert Condé Nast to the vulnerabilities before going public. When that failed, they went to the forums [7].
Whether that's true or just reputation management by a criminal, who knows. But the 40 million threat is out there.
Condé Nast's Response
Radio silence.
As of January 2026, Condé Nast has not:
- Confirmed the breach publicly
- Notified affected subscribers
- Responded to security researcher inquiries
- Announced any remediation steps
BleepingComputer, SecurityWeek, and multiple security researchers have reached out. Nothing back [2][6].
For a company that publishes WIRED (a magazine literally about technology and security), this is particularly embarrassing.
What WIRED Subscribers Should Do
Check Have I Been Pwned
Go to haveibeenpwned.com and search your email. The WIRED breach was added December 27, 2025.
Update Your Password
Change your Condé Nast account password immediately. Use a unique password you haven't used anywhere else.
Watch for Targeted Phishing
Attackers with your name, email, and address can send very convincing phishing emails. Be suspicious of anything claiming to be from Condé Nast publications.
Physical Security Matters
Over 100,000 home addresses were exposed. If you're in that group and have reason to be security-conscious (journalist, activist, public figure), take appropriate precautions.
Enable 2FA Everywhere
If Condé Nast offers two-factor authentication, enable it. Check all your other accounts that might use the same email.
Why This Matters
WIRED readers aren't random internet users. They're tech-savvy, often work in technology, and include journalists, security researchers, and executives.
A database of WIRED subscribers is a targeting list for:
- Spear phishing campaigns against tech workers
- Social engineering attacks using detailed personal info
- Credential stuffing if the same emails appear in password dumps
- Physical targeting using exposed home addresses
The irony of WIRED (a publication that covers security breaches) suffering this kind of basic vulnerability isn't lost on anyone.
References
- Hackread - Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach
- BleepingComputer - Hacker claims to leak WIRED database with 2.3 million records
- Have I Been Pwned - WIRED Data Breach
- InfoStealers - WIRED Database Leaked: 40 Million Record Threat Looms for Condé Nast
- eSecurity Planet - 2.3M WIRED Subscriber Records Leaked in Condé Nast Data Breach
- SecurityWeek - Hacker Claims Theft of 40 Million Condé Nast Records After Wired Data Leak
- Security Affairs - Condé Nast faces major data breach: 2.3M WIRED records leaked, 40M more at risk