Fast Company Hacker Says 'Anyone Could Have Done It'

The hacker, hiding under the nickname thrax, who hacked the website of the Fast Company media, said that it was complicated and did not require any special skills. This week, Fast Company took its site down after it was defaced and Apple News users received lewd and racist notices.

For some reason, in the context of this event, I wanted to remind you that we also wrote that Hackers Attacked an Anonymous Site for Sending Faeces by Mail.

Reference:
Fast Company is a monthly American business magazine published in print and online that focuses on technology, business, and design. It publishes six print issues per year.

The Fast Company website has now published an official statement, according to which the publication was hacked twice: the site was defaced last Sunday, September 25, and then on Tuesday, September 27, the attacker sent offensive push notifications to Apple News users. The investigation into the incident is still ongoing, and it is reported that FastCompany.com will be disabled until “until the situation is resolved.”

The first signs of an attack on Fast Company really were noticed last Sunday, when articles began appearing on the site’s home page under the heading “Hacked by Vinnie Troy <...> Thrax Was Here.”

Judging by this “message”, members of the Breached hack forum and the closed RaidForums, who have long been at odds with information security researcher Vinny Troia because of his investigations in general and a report on the hack group The Dark Overlord, are involved in the hacking of the publication. It’s not the first time when attackers have tried to attribute their attacks to an expert. In 2021, this conflict escalated to the point where hackers hacked into the FBI’s servers and sent out fake cyberattack alerts, claiming Vinnie Troy was responsible for these incidents.

After the defacement, Fast Company took the site offline for a while to fix the problem, but on Tuesday evening the attack continued, with the hacker sending out abusive notifications to users via Apple News.

As the attacker now says, he managed to hack Fast Company after discovering the WordPress installation under which the publication’s website was running. According to the hacker, WordPress was protected only by HTTP basic authentication, which was easily bypassed. Thrax claims to have gained access to the CMS by guessing the simplest default password used for “dozens” of accounts. After that, he managed to steal Auth0 tokens, Apple News API keys, and Amazon SES secrets.

Using these tokens, the attacker created administrator accounts, which were used to deface and send notifications through Apple News.

I want to add that this could have been avoided: anyone could have done it, and that someone just happened to be me. It was not a sophisticated cyberattack by “government hackers” and did not require any special skills. [Push notifications] could report fictitious life-threatening events, fictitious nuclear fallouts, the fictitious death of President Biden, advertise a cryptocurrency scam, or anything else that could have a potential impact on the markets. Instead, I just decided to embarrass Fast Company.the hacker told Vice Motherboard reporters.