Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 02, 2026 · 6 min read

Proton Finds 116,000 Journalist Records on Dark Web

A five year scan of dark web marketplaces turned up passwords, phone numbers, and home addresses tied to reporters at the New York Times, the Washington Post, and the Wall Street Journal.

Proton and threat intelligence firm Constella Intelligence spent May 2026 scanning dark web marketplaces for data connected to journalists at three of the largest newsrooms in the United States. What they found was not a single breach or a hack of any newsroom's servers. It was five years of accumulated exposure, sitting in criminal marketplaces, tied to work email addresses, personal accounts, and even newsroom contact forms.

The number that matters is 116,000. That is how many separate instances of exposed data Proton's researchers tied back to employees of the New York Times, the Washington Post, and the Wall Street Journal, according to Semafor's report on the investigation. None of it required attacking the newsrooms directly.

Key Takeaways

  • Proton and Constella Intelligence identified more than 116,000 dark web exposures tied to journalists at the New York Times, the Washington Post, and the Wall Street Journal, published May 25-26, 2026.
  • The exposures trace back to more than 35,000 individual email addresses across the three newsrooms, accumulated over roughly five years of breach activity.
  • More than 12,000 plaintext passwords and over 61,000 personally identifiable information records, including names, phone numbers, dates of birth, and home addresses, were found in the exposed data.
  • More than 2,500 journalist email addresses appeared in 10 or more separate breach datasets, meaning some reporters have been re-exposed dozens of times over.
  • Proton says the leaks originate almost entirely from third party breaches, retailers, software vendors, and other services journalists used, not from direct attacks on the news organizations themselves.

What Did Proton Actually Find?

Proton's investigation catalogued 116,000-plus instances of journalist data circulating on dark web marketplaces, tied to 35,000-plus distinct email addresses across the three outlets. Inside that dataset, researchers counted more than 12,000 plaintext passwords and more than 61,000 pieces of personally identifiable information such as full names, phone numbers, dates of birth, and physical addresses.

One detail stands out beyond the raw totals: over 2,500 email addresses showed up in ten or more separate breach datasets. That is not a single bad password reused once. It is the same reporter's identity resurfacing across years of unrelated third party breaches, each one adding another layer of exposure an attacker can stitch together.

Proton's own writeup frames the source of this data plainly. Researchers matched newsroom domains and known staff email patterns against breach corpora Constella Intelligence has aggregated from criminal forums over the past several years, then verified which records were tied to the three outlets. Proton says it followed responsible disclosure and notified each publication before going public, according to Proton's blog post on the findings.

Did the Times, Post, or Journal Get Hacked?

No. Proton was explicit that none of the three organizations suffered a direct breach of their own systems. A Washington Post spokesperson confirmed to Semafor that the report "did not say the Post had experienced a security breach," while spokespeople for the Times and the Journal did not respond to requests for comment.

Instead, the exposure comes from the ordinary digital footprint every employee accumulates outside of work. A reporter who used their work email to sign up for a retailer account or a software trial has effectively handed that address to every company in that chain, and each one is a potential breach target. When any of them gets hit, the journalist's credentials end up for sale regardless of how secure the newsroom's own network is.

A Proton spokesperson put it directly to Semafor: "The reporters and their organizations are not to blame here. It's a structural problem that affects everyone." That framing shifts the conversation away from newsroom IT failures and toward a larger reality — anyone whose professional identity is tied to a single email address inherits the security failures of every service that address ever touched.

Dark web data exposure affecting journalist email accounts at major news outlets, illustrated with locked files and warning indicators in indigo and blue tones

Why This Matters More for Journalists Than Most Workers

A leaked password is a headache for most professionals. For a journalist, it can be the thread that unravels a source's identity. Reporters covering national security or corporate wrongdoing rely on the assumption that their email account is a closed room. Once a password from an old retailer breach turns out to be reused on a work account, or a home address surfaces alongside a byline, that assumption breaks down.

This exposure lands at a moment when hostility toward the press is already escalating through other channels. The FBI has separately faced scrutiny for surveilling journalists without adequate cause, and press freedom groups have documented state actors deploying commercial spyware against reporters, as detailed in the IFJ's mapping of global surveillance tools used against journalists. Dark web credential exposure adds a quieter, cheaper attack path to that same threat landscape. A hostile actor does not need spyware if a reporter's plaintext password is already sitting in a breach dump for a few dollars.

The Committee to Protect Journalists has documented similar consequences up close. In one case a Mexican journalist's email account was compromised and used to plant malware targeting their contacts, an outcome that starts exactly where Proton's research leaves off: with a compromised credential nobody thought was still dangerous.

What Should Journalists Do About It?

The practical response starts with treating every old account as a liability. Reporters should check whether their work or personal email appears in known breach datasets, using a service such as Have I Been Pwned, and rotate any password ever reused across a work account and a third party service.

  • Use a password manager with unique, randomly generated passwords for every account so a single retailer breach cannot cascade into a newsroom credential.
  • Enable two factor authentication on the work email account, ideally with a hardware key rather than SMS, which can be intercepted through SIM swapping.
  • Separate source communication from routine work email. Sensitive conversations belong on encrypted, purpose built channels, not an inbox that also receives newsletter sign ups and retailer receipts.
  • Ask whether the newsroom's IT department monitors for employee credentials appearing in breach dumps, and push for that monitoring if it does not exist.

Newsroom security teams face a harder question. If more than 2,500 addresses were exposed ten times or more, a one time password reset will not fix the pattern. It points to continuous dark web monitoring tied to newsroom domains, similar to programs banks and government agencies already run for their own staff.

The Bigger Picture for Press Freedom

Most coverage of this investigation has focused on the headline figure. The more useful story is what the data reveals about how source protection actually fails in practice. It rarely fails because of a dramatic hack of a newsroom's servers. It fails through forgotten accounts on retailers and software trials that quietly link a journalist's professional identity to services with far weaker security than any newsroom would tolerate internally.

Proton has positioned itself as a privacy watchdog on multiple fronts this year, including its warnings about Switzerland's push to force backdoors into encrypted email. The throughline across both stories is the same: high profile professionals, whether encrypted email users or reporters, are not targeted more often than anyone else. They are simply higher value once their data surfaces, which turns ordinary consumer breaches into press freedom incidents after the fact.

Digital security training for journalists has historically emphasized resisting direct attacks: phishing, spyware, targeted hacking. Proton's numbers suggest just as much attention needs to go toward the mundane digital hygiene that determines whether an old retailer account eventually becomes the reason a source's identity gets exposed.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.