It has been a difficult time for Fast Company after hackers abused their push notifications to send obscene messages. Let’s take a look at the news surrounding the Fast Company Hack.
Fast Company Goes Down
US business and media outlet Fast Company actually took down their site entirely on Tuesday night. They took this action after hackers used their site to send an obscene message to Apple users through its Apple News service.
How exactly did this happen?
As Fast Company is a news publisher, it can use the Apple News Aggregation app to connect its publishing tools to Apple news. News publishers can use this to send push notifications to those who have subscribed to recieve them from publishers. According to Fast Company, hackers abused these public tools.
Fast Company says that hackers misused the Apple News Aggregation app for publishers to send two “racist and obscene” push notifications to Apple users. Thet tweeted that the Apple News feed was suspended until the situation was resolved.
Details of the Fast Company Hack
In a Tweet, fast Company said:
Apple News also said in a Tweet that it had disabled the Fast Company Channel. In another Tweet, Fast Company announced that its content management system was hacked.
This incident was actually not the first for them. The previous Sunday afternoon similar language appeared on the Fast Company homepage and the entire site was shut down for several hours.
It Is Alleged That Hacker Thrax Is Behind It
According to Fast Company:
“Fast Company’s Apple News account was hacked on Tuesday evening. Two obscene and racist push notifications were sent about a minute apart. The messages are vile and not in line with the content and ethos of Fast Company.”
So, who did this, and how?
Subscribers of Fast company took screenshots of the tweets, so records of them exist. These records indicate that Thrax was behind the attack.
How exactly were they able to do this? The hacker has actually bragged about how incredibly easy it was to do. They claim they were able to hack Fast Company easily because the company reuses passwords.
Once they had access to that password, they could access many of the company’s tools. This includes:
- Admin Pages
- Alerts
So far it seems that the hackers have not accessed customer data.
One of the Largest Ever Breaches of Apple Content Controls
These push notifications were short sentences that contained the n-word and graphic language.
While breaches at media companies are not a new phenomenon, this is possibly one of the biggest violations of Apple’s ‘walled garden‘ of all time.
A walled garden refers to a limited set of technology or media information provided to users with the intention of creating a monopoly or secure information system.
Essentially, the tight grip which Apple keeps on its technology makes this extra shocking.
While the Fast Company site was under hacker control, an article labeled sponsored content appeared that was actually written by the hackers. They offered a description of how they had been able to hack the magazine’s site.
According to the hackers, they had accessed the Company’s WordPress program and had found keys to functions including the Apple News programming interface.
Hacker Thrax Says “Anyone Could Have Done It”
So, why did Thrax do it? They say it was mostly opportunistic and done to embarrass Fast Company.
According to Vice:
They didn’t specifically target Fast Company, at least initially, highlighting something that is sometimes missed in cybersecurity discussions: often, it does not entirely matter who you are, but if you are vulnerable, a hacker may exploit those weaknesses simply because they can.
Thrax told Motherboard via DM on a data trading platform:
“It’s not every day that you get to click a button and send tens of thousands of people a notification straight to their phone. I don’t know the statistic for this, but it was lots given what we’ve seen.”
How Did It All Start?
Thrax told Motherboard that they were browsing a website that showed the exposed credentials in public webpages. This included Fast Company and many other sites.
Thrax says that they have released an alleged set of more than 6,700 records taken from Fast Company’s WordPress database. This includes password hashes for some users.
According to Thrax:
“I want to add that this was completely preventable; anyone could have done it and that anyone just ended up being me. It wasn’t a sophisticated cyber attack from a foreign state and it didn’t require ‘specialist skills’.”
When asked why they chose to do this specifically Thrax said:
“It could have been a hoax threat-to-life event, a hoax nuclear fallout, the hoax death of President Biden, a crypto scam or anything else which could have had the potential to shift markets. Instead, I chose to embarrass Fast Company.”
Final Thoughts on the Fast Company Hack
As of October 5th, 2022, when this post is published, the Fast Company site is still down. It is unclear when it will go back online.
This is an interesting cautionary tale about being more clever about your passwords, but also one that explores a much deeper issue.
Even if you are very careful with your passwords and other personal data, there is a chance that it is being traded on dark corners of the web anyway.
While many hackers exploit data to commit identity fraud, steal from unsuspecting people, even try to cause general hysteria, some like Thrax do it seemingly for fun.
What do you think of the situation? Comment below.
Since 2009, we have helped create 400+ next-generation apps for startups, Fortune 500s, growing businesses, and non-profits from around the globe. Think Partner, Not Agency.
Find us on social #MakeItAppn®