The Telegraph, one of the UK’s largest online media, discovered that its 10TB database containing subscriber information was accessible to anyone.

The Telegraph, one of the UK’s largest online media outlets, has leaked 10TB of data after failing to properly protect one of its databases.

The leaked information includes internal logs, subscribers’ full names, email addresses, device information, URL requests, IP addresses, authentication tokens, and readers’ unique identifiers.

Bob Diatchenko, the researcher who discovered the unprotected dataset on September 14, 2021, confirms that at least 1,200 unencrypted contacts were accessible without passwords at the time he checked.

It’s worth noting that many of these examples relate to Apple News subscribers’ subscriber information, including passwords in plain text.

This newspaper was contacted immediately, but it took two days before we could finally respond and secure the database.

Because this instance was not indexed by a specialized search engine until September 1, 2021, the data has been in an exposed state for at least three weeks. This is enough time for an attacker or automated scanner to find the exposed database and exfiltrate the data it contains.

Only some subscribers will be affected

As a result of this data breach, those who may have been exposed are primarily at risk of email fraud and phishing.

There is also a privacy risk, as leaked URL requests may be used to build up a user’s browsing history on news platforms.

The impact for The Telegraph is that the stolen access token could be used by non-subscribers to access content locked behind the company’s paywall, but resetting it will solve the problem.

In response to the above, The Telegraph

We became aware of this discovery on September 16 and took immediate action to protect the data.

As a result of our investigation, we found that only a small number of records had been compromised, less than 0.1% of our users, so we contacted all users to inform them.

In addition, our investigation led us to conclude that although data was leaked, it was not compromised in any way other than what the researcher posted.

We are grateful for the work of independent researchers who responsibly disclose vulnerabilities and public information, which is critical to our ongoing efforts to protect our assets.


These comments put the number of individuals affected at 600, which is less than the number of revelations that Dychenko has seen. The Telegraph also says that these people are not at risk of being misused, as Dychenko is the first and last person to access sensitive data.

If you are a Telegraph subscriber, we recommend that you reset your password and be on the lookout for unsolicited emails making bold claims and asking you to take urgent action to protect your account.

Leave a Reply

Your email address will not be published.