Fast Company was hacked on Sunday, September 25. The attacker responsible modified article titles to obscene and racist things:
“Hacked by Vinny Troia. [redacted] tongue my [redacted]”, one title read.
Fast Company took its site offline to fix the defacement but the hacker successfully got in again on Tuesday via content management system WordPress, in order to push the same offensive text to its followers on Apple News.
Fast Company tweeted on Wednesday:
On Thursday, Fast Company’s website was displaying a statement regarding the hack on a black background.
While the company is working to resolve what happened, it said it will continue publishing stories on its social channels, including Facebook, LinkedIn, and TikTok.
Speaking with BleepingComputer, “Thrax” revealed how they hacked Fast Company’s website.
Thrax claimed they infiltrated Fast Company after bypassing basic HTTP authentication that secured the WordPress instance the company uses for their website. They then used a default password in “dozens” of accounts to take control of the CMS.
They then stole Auth0 tokens, Apple News API keys, and Amazon SES secrets. Using the tokens, “Thrax” says they created admin accounts on the CMS systems, which were then used to push out the notifications to Apple News.