The New York Times says it didn't send a mass email erroneously telling loads of people their subscriptions were expired. But all indications are that the message originated from the paper or its approved vendor, likely as a mistake.
Many, if not all, of the Times' readers received an email around 1:15pm ET today saying "our records indicate that you recently requested to cancel your home delivery subscription." Virtually none had done so. Many do not even get home delivery service. We received several emails from readers concerned that the Times had been hacked or that there was a "phishing scam" under way.
Kinda, sorta, but not really: The message originated from email.newyorktimes.com, run by the paper's own email vendor, and contained no dangerous or unusual content. So it doesn't meet the usual definition of spam, and was hardly dispatched by a random stranger.
If you look at the message's headers, you can see it was sent by servers at Epsilon Marketing, as Washington Post digital staffer Yuri Victor has pointed out. Epsilon Marketing, in turn, is listed as as an approved sender in an authorization entry published by the New York Times domain "email.newyorktimes.com." Indeed, the Times' name servers point to Epsilon's network as the host of email.newyorktimes.com. An image contained within the message is also hosted on Epsilon servers.
What this means is that you don't have to worry about the email. It was almost certainly sent by the Times or its vendor, and did not attempt to solicit money or identity credentials, for example by pointing people to a non-Times web server. The toll-free phone number listed in the message belongs to the Times, so if a hacker was involved in somehow triggering the mass email, the only damage they'd have done is to the newspaper's phone bill.
It also means the paper was probably the victim of an accident rather than a hack attack, although there's certainly a chance an intruder managed to launch the mailing through a very limited compromise of Epsilon's systems, in which the attacker somehow gained the ability to hit "send" without also gaining the ability to tamper with the contents of the message. It's hard to imagine the motive for such an attack.
A Times spokeswoman told us the paper is investigating the incident and will say something when it knows more. Ten bucks says its next words will include an apology of some sort. Don't be too hard on yourselves, guys - this sort of screw-up happens to basically everyone. Even hacker types!
Update: It was indeed an error by the Times. A spokeswoman emails:
An email was sent earlier today from The New York Times in error. This email should have been sent to a very small number of subscribers, but instead was sent to a vast distribution list made up of people who had previously provided their email address to The New York Times. We regret the error.