This week, an unknown hacker(s) compromised the business magazine Fast Company and sent racist and inappropriately sexual push notifications to Apple News users. Specifically, the threat actor breached the content management system of the U.S-based publication.
Apple News disabled the Fast Company channel following the alert, which it described as an “incredibly offensive alert,†sent because of the hack. Soon after, Fast Company confirmed the breach that led to its systems sending out two obscene and racist push notifications to subscribers, including the words “Thrax was here.â€
But the breach goes back to Sunday when the website was defaced with foul language after the threat actor, who goes by the nickname postpixel, claimed they were able to crack the default password used across multiple accounts, including that of an administrator.
postpixel described the hack as “ridiculously easy†in a post on Fast Company’s forum page. It led the threat actor to access admin pages, email, alerts, etc. Rachel Tobac, CEO of Social Proof Security, tweeted:
So far the attacker claims they were able to hack Fast Company due to a simple reused password that gave them access to most tools including admin pages, email, alerts, etc (but not customer data). pic.twitter.com/QaeNLRd5pgOpens a new window
— Rachel Tobac (@RachelTobac) September 28, 2022Opens a new window
Considering the hacker was able to push out notifications on Apple News, it is reasonable to assume they also accessed Apple News API keys which postpixel confirmed. According to the post, before the attacker could crack the WordPress password, they found the origin IP and bypassed the HTTP basic auth.
See More: American Airlines Discloses July Data Breach But Remains Tight-lipped on Details
“We were able to exfiltrate a BUNCH of sensitive stuff through there – Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc,†the hacker claimed. “We also found a Slack webhook, which we could’ve used to pull some bulls–t, but we didn’t want to bother.â€
However, customer records remain unaffected. The hacker also ridiculed Fast Company for taking less than necessary steps to control the compromise.
postpixel also claimed to have some employees’ email addresses, usernames, and IPs as well as drafts which they said they would publish on a breach forum.
“The messages are vile and are not in line with the content and ethos of Fast Company,†the publication said. “Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down.â€
Fast Company has engaged a cybersecurity firm in its incident response efforts. The Fast Company’s official website currently redirects to a statement on the hack since it was taken down on Tuesday evening and will continue to be “until we are certain the situation has been resolved.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!