This week, an unknown hacker(s) compromised the business magazine Fast Company and sent racist and inappropriately sexual push notifications to Apple News users. Specifically, the threat actor breached the content management system of the U.S-based publication.
Apple News disabled the Fast Company channel following the alert, which it described as an â€œincredibly offensive alert,â€ sent because of the hack. Soon after, Fast Company confirmed the breach that led to its systems sending out two obscene and racist push notifications to subscribers, including the words â€œThrax was here.â€
But the breach goes back to Sunday when the website was defaced with foul language after the threat actor, who goes by the nickname postpixel, claimed they were able to crack the default password used across multiple accounts, including that of an administrator.
postpixel described the hack as â€œridiculously easyâ€ in a post on Fast Company’s forum page. It led the threat actor to access admin pages, email, alerts, etc. Rachel Tobac, CEO of Social Proof Security, tweeted:
So far the attacker claims they were able to hack Fast Company due to a simple reused password that gave them access to most tools including admin pages, email, alerts, etc (but not customer data). pic.twitter.com/QaeNLRd5pgOpens a new window
â€” Rachel Tobac (@RachelTobac) September 28, 2022Opens a new window
Considering the hacker was able to push out notifications on Apple News, it is reasonable to assume they also accessed Apple News API keys which postpixel confirmed. According to the post, before the attacker could crack the WordPress password, they found the origin IP and bypassed the HTTP basic auth.
â€œWe were able to exfiltrate a BUNCH of sensitive stuff through there â€“ Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc,â€ the hacker claimed. â€œWe also found a Slack webhook, which we could’ve used to pull some bullsâ€“t, but we didn’t want to bother.â€
However, customer records remain unaffected. The hacker also ridiculed Fast Company for taking less than necessary steps to control the compromise.
postpixel also claimed to have some employees’ email addresses, usernames, and IPs as well as drafts which they said they would publish on a breach forum.
â€œThe messages are vile and are not in line with the content and ethos of Fast Company,â€ the publication said. â€œFast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down.â€
Fast Company has engaged a cybersecurity firm in its incident response efforts. The Fast Company’s official website currently redirects to a statement on the hack since it was taken down on Tuesday evening and will continue to be â€œuntil we are certain the situation has been resolved.â€