Journalists have always operated in the crosshairs. They investigate the powerful, protect confidential sources, and publish uncomfortable truths. Today the threats they face are evolving, with political pressure and surveillance coming not only from authoritarian regimes but also from backsliding liberal democracies. Bad actors can use hacks and data breaches to disrupt their operations, retaliate against whistleblowers, and ultimately compromise their editorial independence.

To better understand the risks facing media today, Proton analyzed dark web marketplaces where hackers trade in pilfered databases to understand media companies’ exposure to digital vulnerabilities. We chose three of the biggest names in US media — The New York Times, The Washington Post, and The Wall Street Journal — and scanned for leaks associated with those organizations and their employees.

Our research turned up more than 116,000 dark web exposures tied to email addresses associated with The New York Times, The Washington Post, and The Wall Street Journal. The volume of exposed data that we discovered — often leaking from multiple sources — places these companies at serious risk of targeted cyberattacks, blackmail, or social engineering.

The leaks include over 12,000 plaintext passwords and over 61,000 pieces of personally identifiable information, revealing the vast scale of cybersecurity risks faced by reporters and their sources.

The media aren’t the only ones at risk. A previous investigation from Proton found thousands of politicians’ leaked emails and passwords on the dark web, representing not only personal privacy vulnerabilities but potential national security threats.

It’s important to note that these leaks are not proof that The New York Times, The Washington Post, or The Wall Street Journal have suffered any kind of cyberattack. The leaks are typically from third-party sources, such as retailers or software providers, who have suffered data breaches that exposed their customers’ data. But the existence of these leaks opens up media companies to targeted hacks, breaches, blackmail, and social engineering.

The scale of data leaks in US media

Proton’s research team, working with Constella Intelligence(uusi ikkuna), identified more than 116,000 dark web exposures connected to over 35,000 individual email addresses, including the employees’ work and personal accounts, contact forms, and team mailboxes.

Consistent with responsible disclosure principles, we’ve already informed each of the publications, providing them details of our findings and time to take appropriate actions.

Such a large amount of information from just three media companies illustrates the potentially enormous scale of data breaches in the media industry.

How does this happen?

The reporters and their organizations are not to blame here. It’s a structural problem that affects everyone who uses the internet, including you.

Whenever someone uses their name, email address, or birthday to register for a third-party service, like LinkedIn, Adobe, or Dropbox, they entrust some of their personal information to that company. When those third-party platforms are breached (and breaches happen constantly), the credentials and personal data of everyone who registered can end up on the dark web. In many cases, these leaks also include passwords, and if the victim is reusing the same password in multiple places, it creates much broader cyber security risks. We publish general findings regularly in our Data Breach Observatory.

At Proton, we’ve developed tools specifically to help people identify and mitigate the effects of data breaches. Pass Monitor is included in Proton Pass, and companies that use our business password manager or our broader suite of business tools benefit from robust account security defenses.

Threat to US press freedom

In parts of the world where press freedom is most severely threatened — like China, Iran, or Saudi Arabia — attacks on journalists rarely stop at political pressure. They extend into surveillance, social engineering, blackmail, and intimidation. Compromised credentials are a tool of authoritarian control as much as they are a tool of conventional cybercrime.

The United States is not exempt from this dynamic, ranking 64th on the World Press Freedom Index(uusi ikkuna). American journalists face growing legal and political pressure, and the security risks they face are not purely hypothetical. Leaked passwords open doors to email accounts, internal systems, and communication platforms where source identities could be exposed. PII creates opportunities for blackmail or targeted harassment campaigns designed to silence or discredit reporters.

More than 2,500 email addresses in our dataset have been exposed ten or more times — meaning some individuals are persistently vulnerable, with their information circulating repeatedly across dark web markets and forums.

What people and organizations can do to stay safe

The exposures we identified are the downstream consequence of third-party breaches — outside the control of any individual journalist or newsroom. But there are meaningful steps organizations and individuals can take to reduce their exposure and limit the damage when breaches do occur.

For organizations:

For individuals:

  • Use unique, strong passwords for every account
  • Use email aliases when registering for third-party services, so that a breach of one service doesn’t expose your primary address across the board
  • Enable two-factor authentication wherever possible
  • Treat your work email address as sensitive infrastructure — because it is

The dark web doesn’t discriminate. Anyone whose data passes through a breached service can end up exposed. Good account hygiene is the first and most important line of defense — and the tools to practice it have never been more accessible.

If your media organization would like to learn more about Proton security solutions, learn about our discounts for news organizations.