Business news website Fast Company was hacked last night. The result was that people who use Apple News received a notification on their phone saying “NIGGERS TONGUE MY ANUS. THRAX WAS HERE”.
We are still following this it seems that terrible security for the Fast Company website led to this. The website was defaced and the following message was left on it by the hackers which sums up how the penetrated the site:
“Wow, Fast Company. Despite the public defacement of your site, which boasts millions of visitors, all you did was hastily change your database credentials, disable outside connections to the database server, and fix the articles. What an absolute disgrace of a news source, and one that I would personally avoid due to how little they care about user security. This went from some random bullshit we found while fucking around, to what will hopefully be a laughing stock for security experts across the world.
The articles are written through a WordPress instance hosted at [removed] – which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication. Thankfully, Fast Company had the ridiculously easy default password of [removed, but it started with “pizza”] on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily. We were able to exfiltrate a BUNCH of sensitive stuff through there – Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc. We also found a HTTP basic auth username/password, which happened to work for [removed], meaning we didn’t have to go through hell to access it anymore. We also found a Slack webhook, which we could’ve used to pull some bulls–t, but we didn’t want to bother.
Remember the Auth0 I just talked about earlier? Well, they had an access token in WordPress that allowed us to not only grab the email addresses, usernames, and IPs of a bunch of employees, but also create our own account that we gave admin privileges to two portals: [removed] and the management [removed]. [removed] was under HTTP auth as well, under the exact same username and password as [removed] (in fact, this site is what the credentials were originally for). Once we logged in with our account (which they still haven’t deleted after days, by the way), and basically let us do a fuck ton of funny shit such as push notifications to Apple News users, mess with the site, and much more.
[removed] was fairly boring, just listing a bunch of bullshit that they hadn’t used since 2020-2021. TLDR: Fast Company can’t even keep their security straight and did way too little to respond to this situation. Don’t trust them (or “Inc.”, they’re owned by the same company Mansueto) with your viewership.”
This comes as even more mainstream news websites have been seeing mass break-ins and defacement. We only expect this trend to continue. We’ll monitor this story as news develops.