It seems that some sources take the phrase "source code leak" too literally - as in, the entire 270GB is just _source code_, that's of course wrong. Also, some even haven't noticed that the leak isn't just their source code repositories, it's actually repositories with the entire Git history (.git subfolder), which does seem to end at late January for some of the bigger repos, making the date quite accurate.
Another thing to note is that apparently multiple repositories have private information like addresses or phone numbers.
As for the leak itself, download at your own discretion, but from the looks of it they're just harmless tar archives of repositories: https://files.catbox.moe/ez1ncr.txt
Wonder how GitHub wasn't able to detect a single token downloading the entire organization's worth of repositories, especially if it's over 6 thousand of them. Surely that's not something that's done regularly? Seems like a pretty massive oversight if anyone can just grab a token and get themselves a full copy of the organization.
You’d be surprised. Repo mirroring systems, continual cloud backups, sysadmins/engineers cloning every repo of an org, 3rd party tools regularly inspecting repos, etc.
The best option is for the organization themselves to monitor their gh/ghes logs, exclude this sort of activity, and then detect it themselves. There’s no way gh can monitor all orgs for mass repo clones without a mess of false positives.
270GB of source code from The New York Times leaked to 4Chan - https://news.ycombinator.com/item?id=40609922 - June 2024 - (47 comments)
'New York Times source code' leaks online via 4chan - https://news.ycombinator.com/item?id=40616387 - June 2024 - (7 comments)
The New York Times source code leaked by a 4chan user - https://news.ycombinator.com/item?id=40612233 - June 2024 - (1 comment)