Swiss privacy and security company Proton and Constella Intelligence found more than 116,000 instances where employees at The New York Times, The Wall Street Journal, and The Washington Post had their data exposed to the dark web.
Across all three organizations, the company behind Proton Mail found exposure to the dark web over the past five years associated with more than 35,000 individual email addresses, according to a study conducted earlier this month. The company said that more than half of the exposures contained personal information such as names, phone numbers, dates of birth, and addresses, which cybersecurity experts say creates heightened risk for phishing and blackmail. The breaches also included thousands of passwords.
The goal of conducting the study, the organization told Semafor, was to better understand the scale of exposure journalists face as hostility towards independent journalism mounts. A spokesperson for Proton said it sent the information to the chief technology officers of all three companies to alert them of breaches. Proton also suggested that members of the media check to see if they have been exposed in previous high-profile breaches, change their passwords if so, and use a password manager.
“The reporters and their organizations are not to blame here. It’s a structural problem that affects everyone who uses the internet,” the company said in a post first shared with Semafor.
“American journalists face growing legal and political pressure, and the security risks they
face are not purely hypothetical. Leaked passwords open doors to email accounts, internal
systems, and communication platforms where source identities could be exposed,” and the release of reporters’ personally identifiable information “creates opportunities for blackmail or targeted harassment campaigns designed to silence or discredit” them.
Spokespeople for the Times and the Journal did not respond to Semafor’s inquiry about the employee information on the dark web. A spokesperson for the Post said the paper didn’t comment on IT, but emphasized that the report did not say the Post had experienced a security breach.