Full Report
Fast Company took its website offline after its content management system (CMS) was hacked to display stories and push out Apple News notifications containing obscene and racist comments.A “Breached” hacking forum member named 'Thrax' published a database dump with 6,737 emplo...
Analysis Summary
# Incident Report: Fast Company Website & Apple News Compromise
## Executive Summary
Fast Company suffered a major compromise of its Content Management System (CMS), which allowed threat actors to push obscene and racist notifications to users via the Apple News platform. The breach resulted in the publication of a sensitive employee database and forced the organization to take its entire web infrastructure offline for over a week.
## Incident Details
- **Discovery Date:** September 27, 2022
- **Incident Date:** September 25 – September 27, 2022
- **Affected Organization:** Fast Company
- **Sector:** Media / Journalism
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Sunday, September 25, 2022
- **Vector:** Exploitation of a poorly secured administrative account.
- **Details:** Attackers gained access to the Fast Company WordPress dashboard. The organization later admitted the CMS was "broken into."
### Lateral Movement
- Attackers utilized their CMS access to navigate through administrative functions and gain access to internal API keys and authentication tokens for integrated third-party services.
### Data Exfiltration/Impact
- **September 27, 2022:** Two "obscene and racist" push notifications were sent to Apple News subscribers.
- **Data Breach:** A threat actor named 'Thrax' posted a database dump on the "Breached" forum containing records for 6,737 employees, including email addresses, salary information, and draft posts.
### Detection & Response
- **Discovery:** Triggered by the public visibility of the racist notifications and subsequent social media outcry.
- **Immediate Action:** Fast Company shut down its entire website (fastcompany[.]com) to contain the breach.
- **Long-term Action:** The site remained offline for eight days while forensic teams rebuilt the environment.
## Attack Methodology
- **Initial Access:** Valid accounts/Credential stuffing or exploitation of weak CMS security.
- **Persistence:** Creation of rogue administrative accounts within the WordPress CMS.
- **Privilege Escalation:** Accessing high-level administrative API keys stored within the CMS database.
- **Defense Evasion:** Not applicable; the attacker's goal was high-visibility disruption (defacement).
- **Credential Access:** Theft of cleartext or hashed credentials from the WordPress database.
- **Discovery:** Exploration of CMS plugins and integrated tools (Apple News API).
- **Lateral Movement:** Pivot from WordPress CMS to the Apple News publishing API.
- **Collection:** Exfiltration of employee database tables (likely via SQL dump).
- **Exfiltration:** Data posted to a public cybercrime forum (Breached).
- **Impact:** Website defacement and brand damage via automated push notifications.
## Impact Assessment
- **Financial:** Significant lost ad revenue during an 8-day blackout; costs for third-party forensic investigators.
- **Data Breach:** Exposure of 6,737 employee records (PII).
- **Operational:** Total cessation of digital publishing operations for over a week.
- **Reputational:** Severe damage due to the nature of the offensive content pushed to millions of Apple News users.
## Indicators of Compromise
- **Behavioral indicators:** Unauthorized administrative logins outside of business hours; sudden modification of "Push Notification" templates; unauthorized database exports.
- **Network indicators:** hxxps[://]fastcompany[.]com (Taken offline during incident).
## Response Actions
- **Containment:** Fast Company took the unprecedented step of taking its entire domain offline.
- **Eradication:** Revoked all Apple News API keys and invalidated all CMS administrative credentials.
- **Recovery:** Restored services from known-good backups and implemented enhanced security protocols before going back online on October 6, 2022.
## Lessons Learned
- **Credential Management:** Default or weak credentials on internet-facing CMS platforms represent a critical failure point.
- **API Security:** Sensitive API keys (like Apple News) should not be easily accessible or stored in cleartext within the CMS if possible.
- **Incident Readiness:** While the "kill switch" (taking the site offline) was effective for containment, the week-long recovery time indicates a need for better immutable backups and rapid deployment capabilities.
## Recommendations
- **Multi-Factor Authentication (MFA):** Mandate MFA for all CMS administrative accounts without exception.
- **Least Privilege:** Limit the number of users with "Administrator" roles and restrict the ability to send push notifications to a verified subset of users.
- **Architecture Hardening:** Implement a Web Application Firewall (WAF) to block suspicious traffic and audit CMS logs for unauthorized access attempts.
- **Database Encryption:** Ensure sensitive employee data is encrypted at rest and stored separately from the public-facing CMS database.