American business magazine Fast Company reached out to its Executive Board members this week to let them know their personal information was not stolen in a September 27 cyberattack that forced it to shut down its website.
However, it also confirmed that the threat actor behind the attack was able to steal contributor credentials and put them up for sale online after hacking its content management system.
“The hacked downloaded Fast Company contributor user names and passwords and made the obtained information available for purchase on the web site called Breach Forums,” Fast Company said in a notification shared with us by a reader.
“Thankfully, Fast Company Executive Board member information is protected in a separate database. Personal information of members was not compromised in the cyberattack.”
The Fast Company website was brought back online and resumed operation on Wednesday, according to the same notification.
While the company said that it hired a leading global incident response and cybersecurity firm to help investigate the attack, it is yet to share additional details regarding last month’s incident.
Fast Company’ Executive Board is an invitation-only network of company founders, executives, and leaders that allows them to connect with their peers and publish on FastCompany.com.
Allegedly hacked due to weak default password
This alert follows a two-week shutdown of Fast Company’s website after the hacker also pushed racist notifications to readers’ mobile devices via Apple News.
Fast Company took the site offline after it was also defaced to show “Hacked by Vinny Troia. [redacted] tongue my [redacted]. Thrax was here.” messages instead of the usual headlines.
This linked the hack to the Breached hacking community, whose members are known for defacing websites and blaming security researcher Vinny Troia.
“Company’s content management system was hacked on Tuesday evening. As a result, two obscene and racist push notifications were sent to our followers in Apple News about a minute apart,” a statement published on Fast Company’s website read.
“Tuesday’s hack follows an apparently related hack of FastCompany.com that occurred on Sunday afternoon, when similar language appeared on the site’s home page and other pages.”
Following the incident, Apple also disabled Fast Company’s channel on its Apple News service to prevent similar incidents.
Thrax, the Breached member who claimed the attack, also claimed they breached the site’s CMS after allegedly bypassing the HTTP basic authentication on Fast Company’s WordPress instance with the help of a very easy default password used for dozens of accounts.
In the next stage of the attack, the threat actor said they stole Auth0 tokens, Apple News API keys, and Amazon SES secrets which helped create CMS administrator accounts later used to push the Apple News notifications.