A hacker operating under the alias “Lovely” has published what they claim is the personal data of more than 2.3 million Wired.com users, posting the leak on December 20, 2025, to a newly launched hacking forum called Breach Stars. The individual shared a download link, file hash, and a statement accusing Condé Nast—Wired’s parent company—of ignoring repeated vulnerability reports, while threatening to release data from over 40 million additional accounts across the company’s portfolio.
The leaked dataset appears to include full names, email addresses, user IDs, display names, and account creation and update timestamps, with some entries also showing last session dates. While no passwords or payment information are visible, the presence of real email addresses and unique identifiers makes the exposure significant. Many personal fields such as phone numbers and addresses are blank, suggesting they were not required at registration, but the mix of personal and system‑generated emails indicates the data spans both real users and internal testing accounts dating back to 2011.
Lovely also posted what they claim is a breakdown of user counts from other Condé Nast brands, alleging access to more than 40 million accounts across titles including The New Yorker, Vogue, GQ, Vanity Fair, Bon Appétit, and Architectural Digest. Some entries reference unfamiliar labels such as “NIL,” which the hacker says contain millions of additional records, suggesting the breach may involve a centralized identity system rather than isolated databases.
Condé Nast has not confirmed the breach, and independent verification is still underway. Early checks by researchers and social media users indicate that at least some of the leaked Wired.com records contain real user information, including names, emails, and hashed credentials. The hacker previously contacted journalists while posing as a security researcher, but their credibility came into question after they began issuing threats to leak the data. Until the company provides an official statement, the full scope and legitimacy of the alleged breach remain unverified
