Cyber Incident Victim: Fast Company

On September 25, 2022, Fast Company’s website was initially breached when its homepage was defaced with stories containing obscene and racist language. The defacement included references to "Hacked by Vinny Troia" and the alias "Thrax," indicating involvement from members of the Breached hacking community. Fast Company temporarily took its website offline to address the incident but restored it after remediation. Two days later, on September 27 at approximately 8:00 PM EST, attackers breached the site again, exploiting access to the company’s content management system (CMS) to push two racist and obscene notifications through Apple News. These notifications were sent to Fast Company’s Apple News subscribers within one minute of each other, prompting immediate user reports on social media platforms like Twitter. Apple News disabled Fast Company’s channel shortly afterward to prevent further malicious notifications. Fast Company again took its website offline and replaced it with a statement confirming both breaches.

The attacker, using the alias 'Thrax,' later claimed responsibility on the Breached hacking forum, alleging they gained access via a WordPress instance with a default password. After compromising the CMS, the threat actor created administrator accounts and leveraged stored tokens to distribute unauthorized Apple News alerts. The breaches caused operational disruptions, requiring repeated website takedowns, and reputational damage due to the distribution of offensive content. Fast Company’s public statement acknowledged both the Sunday website defacement and the Tuesday Apple News compromise but did not disclose additional technical details about the vulnerabilities exploited. The incident highlighted risks associated with third-party integrations like Apple News and CMS security practices, though no data theft or lateral network movement was confirmed in the available reports.