New Yorker Liza Sabater said she chanced upon a yet-to-be-launched New York politics blog and was able to log in and write posts to the site.
"[It was] just as easy as signing in through their WordPress login page," Ms Sabater wrote. "I honestly cannot believe they just left the door open like that."
The Times operates several weblogs using the open-source WordPress platform. Ms Sabater discovered the nascent blog, which does not yet appear on the paper's index page and included placeholder design elements, in the referrer logs for her Daily Gotham site, which staff at the Gray Lady had linked from their development.
Upon logging in, she said, she posted several entries and exposed the incident to readers around the blogosphere.
"I did not hack into the site," read her message. "You've just got a major security hole. You've overlooked what I would consider a huge detail in blog development. You never, ever leave the login permissions open while mired in testing and development."
Free daily newsletter
If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).
Related articles
- NYT's Hannah Yang on subscription ceilings, international markets and news bundles
- How to discover value and build loyalty with newsletters
- Newsrewired special: How The Times is running towards a digital-first future
- Subscription retention strategies: pain points and remedies
- How should the media cover COP26 and climate change long-term?
