Fast Company took its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments. Today, the hacker shared how they allegedly breached the site.
The site today shows a statement from the company confirming they were hacked on Sunday afternoon, followed by an additional hack on Tuesday evening that allowed threat actors to push out racist notifications to mobile devices via Apple News.
“Company’s content management system was hacked on Tuesday evening. As a result, two obscene and racist push notifications were sent to our followers in Apple News about a minute apart,” reads a statement on Fast Company’s website.
“The messages are vile and are not in line with the content and ethos of Fast Company. We are investigating the situation and have shut down FastCompany.com until the situation has been resolved.”
The obscene Apple News notifications were quickly reported by users on Twitter, leading Apple News to disable Fast Company’s channel on the news service.
A timeline of the attack
First signs that Fast Company was breached occurred Sunday afternoon when the site’s home page began filling up with stories titled “Hacked by Vinny Troia. [redacted] tongue my [redacted]. Thrax was here.’
Members of the Breached hacking community, and the now shut down RaidForums, have a long-standing feud with security researcher Vinny Troia where they commonly deface websites and perform hacks, which they blame on the researcher.
Fast Company took the site offline for some time to fix the defacement but was hacked again on Tuesday night at around 8 PM EST. This time the hacker pushed out Fast Company notifications through Apple News that contained similar obscene and racist comments as the website defacement.
Today, the site was taken offline once again and displays Fast Company’s statement shared above.
Hacker shares how they breached Fast Company
Based on the mention of “Vinny Troia” in the defacements, it is not surprising to see a Breached hacking forum member named ‘Thrax’ sharing information about how they allegedly hacked Fast Company’s website.
The threat actor claims they were able to breach Fast Company after they discovered a WordPress instance used by the company for their website.
This WordPress instance was allegedly secured using HTTP basic authentication that was bypassed. The threat actor then say they gained access to the WordPress CMS using a very easy default password that was used on “dozens” of accounts.
From there, they say they were able to steal Auth0 tokens, Apple News API keys, and Amazon SES secrets.
Using these tokens, they claim to have created administrator accounts on the CMS systems, which were used to push out the notifications to Apple News.
BleepingComputer does not normally share detailed information on how a hacker gained access to a site, but as Fast Company is already mitigating the breach, we felt this information could be of benefit to other website administrators.
It should also be noted that these are the claims of the threat actor, and BleepingComputer has no way to verify this information independently.
BleepingComputer has reached out to Fast Company to confirm if these claims are valid, but our email bounced back.