Hackers Sent Obscene Notifications Through Apple News After Fast Company Was Compromised
After being hacked to show content and send out Apple News notifications containing obscene and racist comments, Fast Company took its website offline. Today, the hacker revealed how they purportedly gained access to the site.
Today’s site included a statement from the company revealing that they were hacked on Sunday afternoon, followed by another intrusion on Tuesday evening that allowed threat actors to send bigoted notifications to mobile devices via Apple News.
“On Tuesday evening, the company’s content management system was compromised. As a result, about a minute apart, two obscene and racist push alerts were delivered to our Apple News followers “according to a statement on Fast Company’s website.
“The messages are ugly and contradict Fast Company’s content and culture.” We are investigating the problem and have suspended FastCompany.com until it is rectified.”
Users on Twitter swiftly reported the obscene Apple News notifications, prompting Apple News to block Fast Company’s channel on the news site.
The attack’s timeframe
Source: Twitter
The first indication that Fast Company had been hacked came Sunday afternoon, when the site’s home page began to load up with stories labelled “Hacked by Vinny Troia.” My [redacted] tongue, [redacted]. Thrax was present.’
Members of the Breached hacking group, as well as the now-defunct RaidForums, have a long-standing conflict with security researcher Vinny Troia, in which they frequently deface websites and commit hacks that they blame on the researcher.
Fast Company took the site offline for a while to repair the damage, but it was hacked again on Tuesday night about 8 p.m. EST. This time, the hacker sent Fast Company notifications via Apple News that included obscene and racist comments similar to the website defacement.
Today, the site was pulled offline once more and displays the above-mentioned Fast Company statement.
A hacker explains how they gained access to Fast Company.
Given the reference of “Vinny Troia” in the defacements, it’s not unexpected to discover a Breached hacking forum member named ‘Thrax’ revealing details on how they allegedly hacked Fast Company’s website.
Source: BleepingComputer
The threat actor claims they were able to compromise Fast Company after discovering a WordPress instance utilised for the company’s website.
This WordPress instance was reportedly protected by HTTP basic authentication, which was circumvented. The threat actor then claims to have gotten access to the WordPress CMS by utilising a simple default password on “dozens” of accounts.
They claim to have stolen Auth0 tokens, Apple News API keys, and Amazon SES secrets from there.
They claim to have created administrator accounts on the CMS systems using these tokens, which were then used to push notifications to Apple News.
BleepingComputer does not generally publish comprehensive information on how a hacker obtained access to a site, but because Fast Company is actively working to mitigate the breach, we thought this information could be useful to other website admins.
It should also be highlighted that these are the threat actor’s claims, and BleepingComputer has no way to independently verifying this information.
Fast Company was contacted by BleepingComputer to see if these accusations were true, but our email was returned.