Fast Company hacked to send obscene and racist messages

Yesterday, Apple News announced it had disabled the channel of Fast Company, a US-based business magazine, after surprised Twitter users reported it was tweeting offensive comments.

An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.
— Apple News (@AppleNews) September 28, 2022

Fast Company was hacked on Sunday, September 25. The attacker responsible modified article titles to obscene and racist things:

"Hacked by Vinny Troia. [redacted] tongue my [redacted]", one title read.

This is what Fast Company looked like after it was hacked by an actor named "Thrax."

Fast Company took its site offline to fix the defacement but the hacker successfully got in again on Tuesday via content management system WordPress, in order to push the same offensive text to its followers on Apple News.

Fast Company tweeted on Wednesday:

Fast Company's Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart.
The messages are vile and not in line with the content and ethos of Fast Company. (continued below)
— Fast Company (@FastCompany) September 28, 2022

On Thursday, Fast Company's website was displaying a statement regarding the hack on a black background.

"The messages are vile and are not in line with the content and ethos of Fast Company."

While the company is working to resolve what happened, it said it will continue publishing stories on its social channels, including Facebook, LinkedIn, and TikTok.

Speaking with BleepingComputer, "Thrax" revealed how they hacked Fast Company's website.

Thrax claimed they infiltrated Fast Company after bypassing basic HTTP authentication that secured the WordPress instance the company uses for their website. They then used a default password in "dozens" of accounts to take control of the CMS.

They then stole Auth0 tokens, Apple News API keys, and Amazon SES secrets. Using the tokens, "Thrax" says they created admin accounts on the CMS systems, which were then used to push out the notifications to Apple News.