Post Millennial Data Breach compromise information of 26 Million Users. All data posted on ‘Have I Been Pwned.’
Two conservative online publications, The Post Millennial and Human Events, recently fell victim to a devastating data breach that exposed the personal information of over 26 million subscribers and website users.
According to the data breach notification on Have I Been Pwned and cybersecurity experts analyzing the incident, this could be one of the largest breaches of user data in history from an online media organization.
The hack occurred in early May, when an unknown threat actor was able to deface the websites for both The Post Millennial and affiliated site Human Events.
In addition to defacing the sites’ front pages with fake messages, the intruder also claimed to have stolen extensive databases containing highly sensitive information on millions of users. This reportedly included mailing lists, subscriber records, and even internal employee data like physical addresses and emails.
Within days, huge troves of stolen information began spreading widely across hacking forums and peer-to-peer networks. Security researchers obtained some of the leaked files and confirmed they contained extraordinarily detailed records for tens of millions of individuals.
The compromised data spanned multiple categories:
- Personal details like full names, genders, phone numbers, and physical addresses for over 26 million people
- Email addresses
- Usernames and account passwords in plaintext
- IP addresses
- Internal staff records exposing contact data for hundreds of writers and editors
Given the far-reaching scale and political nature of the targeted sites, there were immediate privacy and security implications for a huge number of North American conservative readers, subscribers, and journalists.
Post Millennial Hack Data Added to ‘Have I Been Pwned’ Breach Database
Prominent security researcher Troy Hunt, who maintains the Have I Been Pwned breach notification service, was among those to obtain samples of the stolen files. He determined they contained records from a variety of sources beyond just the news sites’ direct subscribers. Some records reportedly traced back to different marketing campaigns done by other groups entirely.
Nevertheless, due to the massive scope of the compromised user records, Hunt took the step of manually adding the entire Post Millennial/Human Events data cache to Have I Been Pwned. This allowed any of the estimated 26 million impacted individuals to quickly check if their email or other credentials were included in the breach.
“The breach resulted in the defacement of the website and links posted to 3 different corpuses of data including hundreds of writers and editors (IP, physical address, and email exposed), tens of thousands of subscribers to the site (name, email, username, phone and plain text password exposed), and tens of millions of email addresses from several thousand mailing lists alleged to have been used by The Post Millennial (this has not been independently verified),”
HIBP’s post.
To date, neither The Post Millennial nor Human Events operator Human Events Media have acknowledged or commented on the Post Millennial cyberattack publicly. It remains unclear if they have notified all the potentially affected users, conducted internal investigations, or taken any remedial steps in response to what is arguably the largest online media data breach ever reported.
With so much sensitive user data now circulating in criminal hacking forums online, security experts unanimously advise all readers and subscribers of the conservative sites to carefully monitor account activity and consider changing any reused passwords without delay.
The full scale of the Post Millennial Data Breach is still being assessed.