Fast Company readers who subscribe to updates from the business publication via Apple News have received a couple of obscene push notifications with racial slurs on Tuesday night. The messages caught a lot of users off guard — they truly could induce a spit take if you weren’t expecting them — and people took to Twitter to post screenshots. In a statement, Fast Company has told Engadget that its Apple News account was hacked and was used to send “obscene and racist” push notifications.” It added that it’s investigating what happened and that it has gone as far as shutting down the whole FastCompany.com domain for now.
The publication said:
“Fast Company’s Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart. The messages are vile and are not in line with the content of Fast Company. We are investigating the situation and have suspended the feed and shut down FastCompany.com until we are certain the situation has been resolved.”
Apple has addressed the situation in tweet, confirming that the website has been hacked and that it has suspended Fast Company’s account:
An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.
— Apple News (@AppleNews) September 28, 2022
At the moment, Fast Company’s website loads a “404 Not Found” page. Before it was taken down, though, the bad actors managed to post a message detailing how they were able to infiltrate the publication, along with a link to a forum where stolen databases are made available for other users. They said that Fast Company had a default password for WordPress that was much too easy to crack and used it for a bunch of accounts, including one for an administrator. From there, they were able to grab authentication tokens, Apple News API keys, among other access information. The authentication keys, in turn, gave them the power to grab the names, email addresses and IPs of a bunch of employees.
A user called “Thrax” posted in the forum they linked on the publication’s website, announcing that they were releasing a database containing 6,737 employee records. These include employees’ emails, password hashes for some of them and unpublished drafts, among other information. They weren’t able to get their hands on customer records, though, most likely because they’re kept in a separate database.