Image: Alexander Nemenov/Contributor via Getty Images
A blockbuster investigation from the New York Times in September, 2022, inadvertently exposed the apparent phone numbers of Russian soldiers as well as the apparent civilian family members they were speaking to, Motherboard has learned. Some of these people were providing a frank assessment of the ongoing Ukraine war, and blunt criticisms of their superiors including President Putin himself. The exposure potentially put the people at risk of reprisal from their own government and other third parties.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
The news highlights not only the risks phones pose in wartime, but also the security hazards that can be posed by journalists handling leaked information. Last week, for example, dozens of Russian soldiers were killed in an attack by Ukrainian forces; the Kremlin said they were targeted based on cell phone data. “For Russian troops, cellphone use is a persistent, lethal danger,” the Times wrote.
When contacted by Motherboard, the Times initially said that it took steps to delete the metadata but failed to scrub several audio files. It said that the metadata was up for only a "few hours.” “Before publication, we worked to remove identifying information from the story. We later learned that some buried metadata was live on the site for a few hours, and took prompt steps to remove it,” Charlie Stadtlander, director, external communications, newsroom, at the New York Times initially told Motherboard in a statement.Motherboard then found that additional phone numbers and internal notes for fact checkers—which in some cases seemingly included not only the number of the apparent soldier but also the person they were speaking to, as well as their supposed relation—remained online in the article's source code as of Wednesday afternoon, months after publication. When contacted again by Motherboard, the Times edited the piece to remove that metadata from the source code, and replace it with "null."
Do you know any other cases of data exposure? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
In response to the second request for comment about the further exposure in the source code, Stadtlander provided a nearly identical statement that only removed the “few hours” section. “Before publication, we worked to remove identifying information from the story. We later learned that some buried metadata was live on the site and took prompt steps to remove it,” Stadtlander wrote.Motherboard found what appears to be multiple phone numbers in the source code.Security experts told Motherboard the exposure is dangerous.“This metadata error is a regrettable and entirely avoidable cockup on the part of the New York Times,” Thomas Rid, professor of strategic studies at Johns Hopkins University/SAIS, told Motherboard in an online chat. “The Times says it spent almost two months on translating the recordings—well, it should have spent another 20 minutes on scrubbing the metadata.”In its investigation, the Times says it obtained recordings of thousands of calls that Ukrainian law enforcement agencies intercepted. The calls provided frank, on the ground assessments of the Russian military and President Putin’s failures in Ukraine.“Putin is a fool. He wants to take Kyiv. But there’s no way we can do it,” one said. Another conversation started “What else do they say? When is he going to finish all this, Putin? Fuck.” The person’s partner replied “He says everything is going according to the plan and the timeline.” The soldier responded with “He was gravely mistaken.”
Other conversations saw soldiers lambast their superiors. “They said we were going for training. These bastards didn’t tell us anything,” one said. “Mom, this war is the stupidest decision our government ever made, I think,” another said. In its investigation, the Times decided to publish only the first names of the quoted soldiers to protect their identities. The inclusion of apparent phone numbers undermines that effort. Armed with a phone number, Russian authorities may be able to track down who was critical of the government’s wartime efforts.Motherboard found the Times website included not only the numbers of apparent soldiers on these calls, but also the alleged family members back home. That included the number that placed the call, the number that received it, and apparent notes from Times’ fact checkers on the caller’s identities.“Exposing the phone number of the families of Russian troops is exposing those family members to risks,” Rid added.While those soldiers or family members could be targeted for their criticisms of the war, security researcher Matthew Tait said. “On the Russian state side, the targeting is, in my opinion, much more likely due to potential exposure of senior officers and the Russian state in identifying directed war crimes than for criticism of Putin.”When originally published in September, some of the audio files included in the story contained pieces of metadata that contained a date, a timestamp, and a series of digits. Those digits appear to be phone numbers. This month, a security researcher flagged the issue to Motherboard. The security researcher requested anonymity because they did not want to draw the attention of either Russian or Ukrainian authorities.
After Googling one, Motherboard found the first and last name of an individual who appeared to be a Russian soldier, as listed on a website that was set up to dox Russian soldiers who are allegedly fighting in the war in Ukraine.Motherboard called two exposed numbers. One went to voicemail and the other was disconnected.This month the Times published an article on how Ukrainian artillery targets Russian soldiers because of their cellphone use. It wrote “the use of personal cellphones has plagued both Ukraine and especially Russia throughout the war, leaving troops vulnerable to a piece of technology that, however mundane and ubiquitous in daily life, can pose an existential threat in modern war.” Greg Walters provided additional reporting on this piece.Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.