• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

How Fast Company’s Failure to Secure its Website Resulted in Apple News Profanity Two Days Later

September 27, 2022 By Sven Taylor — 1 Comment
Fast Company hack breach apple news leak

Two days ago, on September 25th, Fast Company’s website was hacked and publicly defaced, with the hacker discussing the exploits on a hacking forum. Earlier today, with the website still unsecured, Fast Company’s account sent out more offensive profanity via Apple News. RestorePrivacy has obtained an explanation from the hacker detailing exactly how this transpired.

Two days ago, on September 25th, we noticed a user on a popular hacker forum post about hacking the Fast Company website.

The hacker claimed that Fast Company left “database credentials open to the public” which provided access and data from the company.

The hacker released the data that was obtained from Fast Company on the hacker forum. Users could purchase the files that the hacker obtained using forum credits. The hacker, who goes by the name of Thrax, had this to say:

I am releasing 6,737 employee records from their WordPress database, among other things such as posts (including unpublished drafts), configurations, and more. We were not able to gain access to customer records as these were likely stored in another database. The data includes emails, password hashes for some users (WordPress format), and a few other things. Hell, I think there’s some Auth0 s*** hidden somewhere if you want to do anything with that.

The hacker also described how he was able to publicly defaced the website over the weekend. This was captured on the Wayback Machine here two days ago on Sunday, September 25th.

Fast Company’s website was publicly defaced with the same profanity that was blasted via Apple News earlier today.

Fast Company Hacked
Fast Company’s website was defaced on September 25th, but left unsecured for further exploitation.
Source: RestorePrivacy.com

While Fast Company was quick to fix the article titles and profanity you see above, the security vulnerabilities were left unpatched.

The hacker’s initial post on the hacker forum is still accessible at the time this article went to publication. Additionally, users of the forum are still able to download the data that was exfiltrated from the site, including Fast Company employee records.

Fast Company site hacked
The hacker’s initial post on Sunday, September 25th.
Source: RestorePrivacy.com

Interestingly, it was not until the obscene Apple News notifications were sent out today that this story really started getting attention.

With the site still left unsecured, Thrax was able to send out push notifications via Apple News from Fast Company’s official account. Numerous people took to Twitter to voice their concern and confusion about receiving these notifications.

After seeing the issue blowing up on Twitter, we reached out to the hacker for an explanation.

Hacker explains how the site was left unsecured with weak passwords (pizza123)

Thrax provided RestorePrivacy with this statement explaining what happened.

After their main website was vandalized two days earlier, they changed the database credentials and took other actions they believed would be adequate to safeguard the site, but these efforts were obviously unsuccessful.

– Hacker’s statement to RestorePrivacy on September 27th.

The hacker went on to further update the initial post to provide more of an explanation on how Fast Company failed to secure the site after it was defaced last weekend.

Wow, Fast Company. Despite the public defacement of your site, which boasts millions of visitors, all you did was hastily change your database credentials, disable outside connections to the database server, and fix the articles.

The articles are written through a WordPress instance hosted at wp.fastcompany.com – which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication. Thankfully, Fast Company had the ridiculously easy default password of “pizza123” on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily. We were able to exfiltrate a BUNCH of sensitive stuff through there – Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc. We also found a HTTP basic auth username/password, which happened to work for wp.fastcompany.com, meaning we didn’t have to go through hell to access it anymore. We also found a Slack webhook, which we could’ve used to pull some bulls***, but we didn’t want to bother.

Remember the Auth0 I just talked about earlier? Well, they had an access token in WordPress that allowed us to not only grab the email addresses, usernames, and IPs of a bunch of employees, but also create our own account that we gave admin privileges to two portals: Wonton (wonton.fastcompany.com) and the management portal (manage.fastcompany.com). manage.fastcompany.com was under HTTP auth as well, under the exact same username and password as wp.fastcompany.com (in fact, this site is what the credentials were originally for). Once we logged in with our account (which they still haven’t deleted after days, by the way), and basically let us do a f*** ton of funny sh** such as push notifications to Apple News users, mess with the site, and much more. Wonton was fairly boring, just listing a bunch of bulls*** that they hadn’t used since 2020-2021.

TLDR: Fast Company can’t even keep their security straight and did way too little to respond to this situation. Don’t trust them (or “Inc.”, they’re owned by the same company Mansueto) with your viewership.
[Other profanity redacted.]

Thrax’s explanation of how FastCompany.com was hacked

This once again illustrates the importance of using strong passwords. Just a few months back we reported how AMD was hacked by RansomHouse, and this was also allegedly carried out due to weak passwords that were cracked.

Fast Company appears to be in damage control.

They have now completely shut down the website, which returns a 404 error the time of publication (September 27th).

Fast Company has also released a statement on Twitter:

Fast Company’s official statement regarding Tuesday evening’s website hack. pic.twitter.com/XeS9PEpbDG

— Fast Company (@FastCompany) September 28, 2022

Many people are upset about the obscene messages that were sent out via Apple News earlier today. And based on the hacker’s statements, this could have all been prevented by properly securing the website after it was hacked over the weekend.

If you haven’t brushed up on strong password hygiene, right now might be a good time.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. BoBeX

    September 28, 2022

    Hi Sven,

    Great article!
    The naivety is hard to believe when this occurs in corporations.

    With the Optus breach in Australia this has affected such a large potion of the population that demands for change are being made.

    Sensible security researchers appear to be saying that they will wait for the result of the investigation before drawing conclusions and informed persons are saying they cannot comment while the investigation is under way. With this collective patience, the wait for the report will only be tolerated for a reasonable time frame.

    Threatening one third of our population, where the threat is non political is going to get action at all levels.

    With the cyber people who will speculate, they say it is an unsophisticated attack, ~”could be performed by a school level programmer – two lines of python.”

    I don’t wish any further damage to the Optus brand;
    And, if, it is a kid who has implemented the breach, I suggest they come forward;
    Because, we have lots coming after them.

    Regards,

    BoBeX

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP