A criminal group is beating Conde Nast over the head for not responding sooner to its extortion attempt by posting stolen subscribers' email and home addresses and warning the publisher of Wired, The New Yorker, Vanity Fair, and Teen Vogue that it has 40 million more entries.

The group known as Lovely said that it tried to tell Conde Nast about the holes in its security a month ago, but after not receiving a response, they decided to publish the email addresses of subscribers on Christmas Day.

The current leak is centered around readers of Wired magazine. The miscreants published 2.3 million emails, which had the names of 285,000 subscribers, 108,000 home addresses, and 32,000 phone numbers.

Additionally, some user IDs, display names, account creation and update timestamps, and in some cases last session dates and IP addresses, have been published, which shows the database that was targeted could have contained live data and was not a static marketing repository.

“Conde Nast does not care about the security of their users’ data. It took us an entire month to convince them to fix the vulnerabilities (on) their website,” the hackers wrote in a forum post. “We will leak more of their users’ data (40+ million) over the next few weeks. Enjoy!”

• From pr0n to playlists and paperclips, trio of breaches spills data of millions
• Hack to school: Parents told to keep their little script kiddies in line
• Get ready for 2026, the year of AI-aided ransomware
• Russian hackers debut simple ransomware service, but store keys in plain text

The batch of files was published to Limewire and Gofile.io.

The world could soon learn if you subscribed to The New Yorker, from which they could infer whether you are the kind of person who appreciates their dry, witty cartoons that take poignant stabs at life in the modern age. The Register has reached out to Conde Nast for comment, but has not yet received a reply.

Security researchers who downloaded the tranche of files determined that the hackers were not bluffing. The email addresses which were released appear to match subscribers whose emails have been compromised. Researchers with Hudson Rock said the attack bears the hallmarks of techniques used by infostealer malwares such as RedLine and Racoon.

“Our researchers identified legitimate subscriber credentials for wired.com within global infostealer infection logs. By matching these compromised credentials against the records in the leaked database, we have definitively confirmed the authenticity of the dataset without any interaction with the victim organization,” Hudson Rock wrote on its website.

Its researchers warn that victims could be subject to doxxing, swatting and phishing campaigns as a result of having their information published. However, Hackread pointed out that the silver lining appears to be no credit card information has been exposed. ®