New Yorker Liza Sabater said she chanced upon a yet-to-be-launched New York politics blog and was able to log in and write posts to the site.
"[It was] just as easy as signing in through their WordPress login page," Ms Sabater wrote. "I honestly cannot believe they just left the door open like that."
The Times operates several weblogs using the open-source WordPress platform. Ms Sabater discovered the nascent blog, which does not yet appear on the paper's index page and included placeholder design elements, in the referrer logs for her Daily Gotham site, which staff at the Gray Lady had linked from their development.
Upon logging in, she said, she posted several entries and exposed the incident to readers around the blogosphere.
"I did not hack into the site," read her message. "You've just got a major security hole. You've overlooked what I would consider a huge detail in blog development. You never, ever leave the login permissions open while mired in testing and development."
Free daily newsletter
- How should the media cover COP26 and climate change long-term?
- Ben Spencer, science editor, The Sunday Times, on the future of climate journalism
- Coronavirus, statistical chaos and the news, one year on
- The Times set to launch a radio station to capture new subscribers
- 'Conscious commissioning': what The Times learned from deep analysis of its journalism