An errant e-mail campaign has rattled subscribers to the New York Times with false cancellation notices. The e-mail blast meant for 300 subscribers was instead sent to 8 million current subscribers, raising speculation that the paper suffered a data breach.
The e-mail, which was widely received, led to confusion and complaints online, as Times subscribers, and non-subscribers reported receiving it. A spokesperson for the New York Times did not immediately respond to a request for comment from Threatpost. However, New York Times corporate media reporter Amy Chozick (@amychozick) used her Twitter account on Wednesday to report that the email was the result of an error, not a hack.
“UPDATE on NYT email: “The email was sent by the NYT,” a spokeswoman said. Should’ve gone to appx 300 people & went to over 8 mil,” Chozick wrote.
Subscribers began receiving e-mail messages with the subject “Important information regarding your subscription” on Wednesday. The messages, sent from the address nytimes@email.newyorktimes.com, appeared to be legitimate and don’t contain any malicious links or attachments.
“Our records indicate that you recently requested to cancel your home delivery subscription,” the message begins. “We do hope you’ll reconsider.” Subscribers are offered a limited-time 50% discount on their subscription for renewing, and provide a phone number and offer code for subscribers to call. The number in the e-mail was busy Wednesday afternoon.
The lack of any obvious malicious intent led to speculation early on that the message may have been sent accidentally to a wide swath of subscribers. However, the New York Times was among the companies that used online marketing firm Epsilon, which was the subject of a high profile hack. That stoked speculation that spammers or online criminals could have been behind the campaign.
The Times has had its share of security headaches. In 2009, the Times website was among prominent media outlets to be compromised and forced into serving up malicious advertisements and Web redirection attacks. The company also found an expensive new feature that limited content to non-subscribers defeated using Javascript.
