iPhone Owners Receive Vile Messages After Apple News Partner Is Hacked

iphone vile messages apple news partner hacked news
Yesterday evening, iPhone users may have been surprised to see multiple push notifications from Apple News containing a racist slur and other obscene language. The notifications were triggered by Fast Company’s Apple News account, prompting Apple News to disable the publication’s news channel. As it turns out, a hacker who previously compromised the publication’s WordPress content management system (CMS) was behind the vulgar push notifications.

breach forums post announcing fast company hack news
The hacker’s Breach Forums post announcing the Fast Company hack (click to enlarge)

The initial hack took place on Sunday afternoon and became apparent when all the article titles on the publication’s website were changed to display an obscene message announcing the hack and falsely attributing it to Vinny Troia. Troia is a cybersecurity researcher whose name has a history of appearing in trollish messages sent by cybercriminals. Late last year, a threat actor known as pompompurin breached the US Federal Bureau of Investigation’s (FBI) web portal and sent out thousands of hoax emails falsely identifying Troia as a member of an extortion gang. For context, pompompurin is the owner and administrator of Breach Forums, the almost identical successor to RaidForums, which was shut down by US law enforcement earlier this year.

Breach Forums is a hacking website frequented by cybercriminals who buy and sell stolen data. It’s no surprise, then, that the hacker who compromised Fast Company’s CMS started a thread on Breach Forums announcing the hack and offering up stolen data. The hacker, who goes by the name “thrax,” claims to have stolen 6,737 employee records from the publication’s WordPress database. However, he says that he wasn’t able to access customer information.

According to a second post by thrax, he gained access to Fast Company’s WordPress instance by discovering that the default password was “pizza123” and that at least a dozen accounts still had the default password. One of these accounts was an administrator account, giving the hacker high level permissions within the publication’s CMS. The hacker then used these privileges to access sensitive information, including authentication tokens, Apple News API keys, Amazon SES secrets, and a Slack webhook. One of the authentication tokens let the hacker exfiltrate employee data, as well as create a new admin account with access to two additional company portals.

fast company website displaying explanation statement news
Statement displayed on Fast Company’s website explaining the situation (click to enlarge)

Fast Company eventually became aware of this breach on Sunday night and changed all of the article titles on its website back to their original titles. However, it appears that the publication wasn’t able to fully lock the hacker out of its CMS after the initial breach. It wasn’t until two days later that the hacker used the publication’s Apple News account to send out offensive push notifications to iPhone users.

Fast Company responded to these push notifications by suspending its news feed and shutting down its website. For some time afterwards visitors to the website were simply met by a 404 error. However the publication has updated its website to display a statement explaining the situation. According to this statement, Fast Company is working with a cybersecurity firm to resolve the situation, and its website won’t be restored to its normal state until that goal is achieved.