In a statement, Fast Company said that a threat actor breached the company’s content management system (CMS) on Tuesday, giving them access to the publication’s Apple News account. The hacker used this access to send two “obscene and racist” push notifications to Apple News subscribers, prompting shocked users to post screenshots on Twitter. It’s not clear how many users received the notifications before they were deleted.
“The messages are vile and are not in line with the content and ethos of Fast Company,” Fast Company said. “We are investigating the situation and have shut down FastCompany.com until the situation has been resolved.”
Apple has also addressed the situation in a tweet, confirming that the website has been hacked and that it has suspended Fast Company’s Apple News account.
Fast Company added that Tuesday’s breach follows an “apparently related hack” of FastCompany.com that occurred on Sunday afternoon, which led to similar language appearing on the site’s homepage and other pages.
“We shut down the site that afternoon and restored it about two hours later,” the company added. “Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down.”
Fast Company didn’t share any details about how it was breached and the company wasn’t immediately available to answer our questions. At the time of writing, the Fast Company website loads a “404 Not Found” page.
However, before the website was taken offline, the hacker responsible for the breach, who identifies as “Thrax”, posted an article labeled as sponsored content that detailed how they were able to infiltrate the publication. The message claims that Fast Company had a “ridiculously easy” default password that was used across a number of accounts, including an administrator. This enabled the attacker to access a bunch of sensitive information, including authentication tokens, Apple News API keys, and Amazon Simple Email Service (SES) tokens, allowing the hacker to send emails using any @fastcompany.com email.
The attacker, in a separate message to a popular hacking forum posted on Sunday, announced they were releasing a database containing 6,737 Fast Company employee records containing employees’ email addresses, password hashes for some of them, and unpublished drafts, among other information.
This same forum has been at the center of the recent Optus breach, which saw threat actors access an unspecified number of customer names, dates of birth, phone numbers, email addresses, physical addresses and identity documents numbers, including driver’s license and passport numbers. So far, the hacker responsible claims to have released 10,200 records.
The Fast Company hacker, who claims to have previously breached photo-sharing website ClickASnap and a self-proclaimed free-speech social network USA Life, said they weren’t able to access customer records as they were likely stored in a separate database.