New Yorker Liza Sabater said she chanced upon a yet-to-be-launched New York politics blog and was able to log in and write posts to the site.
"[It was] just as easy as signing in through their WordPress login page," Ms Sabater wrote. "I honestly cannot believe they just left the door open like that."
The Times operates several weblogs using the open-source WordPress platform. Ms Sabater discovered the nascent blog, which does not yet appear on the paper's index page and included placeholder design elements, in the referrer logs for her Daily Gotham site, which staff at the Gray Lady had linked from their development.
Upon logging in, she said, she posted several entries and exposed the incident to readers around the blogosphere.
"I did not hack into the site," read her message. "You've just got a major security hole. You've overlooked what I would consider a huge detail in blog development. You never, ever leave the login permissions open while mired in testing and development."
Free daily newsletter
- The Times set to launch a radio station to capture new subscribers
- 'Conscious commissioning': what The Times learned from deep analysis of its journalism
- Nine tips on crafting the perfect headline for print and online
- What do millennials and Gen Z want from the news? Convenience and hard-hitting content
- Weekly journalism news update: Virtual reality, WhatsApp audio briefings and TikTok