American business magazine Fast Company reached out to its Executive Board members this week to let them know their personal information was not stolen in a September 27 cyberattack that forced it to shut down its website. However, it also confirmed that the threat actor behind the attack was able to steal contributor credentials and put them up for sale online after hacking its content management system. “The hacked downloaded Fast Company contributor usernames and passwords and made the obtained information available for purchase on the web site called Breach Forums,” Fast Company said in a notification shared with us by a reader. “Thankfully, Fast Company Executive Board member information is protected in a separate database. Personal information of members was not compromised in the cyberattack.” The Fast Company website was brought back online and resumed operation on Wednesday, according to the same notification. While the company said that it hired a leading global incident response and cybersecurity firm to help investigate the attack, it is yet to share additional details regarding last month’s incident.
This alert follows a two-week shutdown of Fast Company’s website after the hacker also pushed racist notifications to readers’ mobile devices via Apple News. Fast Company took the site offline after it was also defaced to show “Hacked by Vinny Troia. [redacted]” messages instead of the usual headlines. This linked the hack to the Breached hacking community, whose members are known for defacing websites and blaming security researcher Vinny Troia. Following the incident, Apple also disabled Fast Company’s channel on its Apple News service to prevent similar incidents. Thrax, the Breached member who claimed the attack, also claimed they breached the site’s CMS after allegedly bypassing the HTTP basic authentication on Fast Company’s WordPress instance with the help of a very simple default password used for dozens of accounts. In the next stage of the attack, the threat actor said they stole Auth0 tokens, Apple News API keys, and Amazon SES secrets which helped create CMS administrator accounts later used to push the Apple News notifications.