The website for business publication Fast Company was taken offline Tuesday evening after a hacker defaced several news articles.
The vandalism resulted in hundreds of Apple News users receiving an unusual push alert that included a profane sexual reference and the words “Thrax was here,” which appears related to a user who frequents hacking-related online forums.
The modified article, first spotted by The Desk on Tuesday, also included a nod to prolific cybersecurity researcher Vinny Troia, though it appears he had no knowledge or involvement in the incident.
An editor with Fast Company told The Desk they were aware of the vandalism campaign and were working to revert several articles that were defaced with profane messages.
An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.
— Apple News (@AppleNews) September 28, 2022
After some of the articles were restored, a person using the nickname “postpixel” posted a message on the Fast Company website claiming the company simply changed certain user credentials and disabled outside access to its online database.
“What an absolute disgrace of a news source,” the message said, adding that the website apparently used the word “pizza” followed by a string of numbers as its administrative password.
The original message posted on the Fast Company website can be read below:
Wow, Fast Company. Despite the public defacement of your site, which boasts millions of visitors, all you did was hastily change your database credentials, disable outside connections to the database server, and fix the articles. What an absolute disgrace of a news source, and one that I would personally avoid due to how little they care about user security. This went from some random bulls–t we found while f–king around, to what will hopefully be a laughing stock for security experts across the world.
The articles are written through a WordPress instance hosted at [removed] – which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication. Thankfully, Fast Company had the ridiculously easy default password of [removed, but it started with “pizza”] on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily. We were able to exfiltrate a BUNCH of sensitive stuff through there – Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc. We also found a HTTP basic auth username/password, which happened to work for [removed], meaning we didn’t have to go through hell to access it anymore. We also found a Slack webhook, which we could’ve used to pull some bulls–t, but we didn’t want to bother.
Remember the Auth0 I just talked about earlier? Well, they had an access token in WordPress that allowed us to not only grab the email addresses, usernames, and IPs of a bunch of employees, but also create our own account that we gave admin privileges to two portals: [removed] and the management [removed]. [removed] was under HTTP auth as well, under the exact same username and password as [removed] (in fact, this site is what the credentials were originally for). Once we logged in with our account (which they still haven’t deleted after days, by the way), and basically let us do a f–k ton of funny s–t such as push notifications to Apple News users, mess with the site, and much more. [removed] was fairly boring, just listing a bunch of bullshit that they hadn’t used since 2020-2021.
TLDR: Fast Company can’t even keep their security straight and did way too little to respond to this situation. Don’t trust them (or “Inc.”, they’re owned by the same company Mansueto) with your viewership.