EXECUTIVE SUMMARY:

The business publication known as Fast Company has confirmed that an unauthorized person recently compromised the company’s technology infrastructure. After accessing and hijacking internal systems, the hacker managed to send push notifications to Apple News users.

The push notifications were offensive. Shocked News subscribers posted screenshots on Twitter. It remains unclear as to how many users received the notifications before they were deleted. As of earlier this year, Apple Inc.’s news aggregation service curated stories for 1.8 billion device users.

How it happened

Fast Company has not yet shared any information about how the breach occurred. However, the hacker who appears responsible for the breach has since posted content saying that access was obtained through the exploitation of an easy-to-guess default password. According to the hacker, the password “Pizza123” was used across multiple accounts.

The hacker managed to access sensitive information, including authentication tokens, Apple News API keys and Amazon Simple Email Service (SES) tokens, which granted the hacker permissions to send emails using any @fastocompany.com email address.

“Hopefully, this will act as yet another reminder to all companies…to use unique passwords [for each account],” stated security expert Jake Moore.

Stolen data

The hacker also claims to have obtained Fast Company database information and threatened to release it online. While cyber forensics investigators have not yet confirmed, the database is believed to include employee records, password hashes, unpublished article drafts, and other information. The hacker did not access customer records, as they were likely maintained in a different database.

The response

“The messages are vile and not in line with the content and ethos of Fast Company,” said a company representative. “We are investigating the situation and have shut down FastCompany.com until the situation has been resolved.” As of this writing, visitors to Fast Company’s website are greeted with a “404 Not Found” message and a blank screen.

“Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down,” said the publication.

This incident represents one of the most significant violations of Apple’s “walled garden” in recent memory. Apple addressed the situation via Tweet, reiterating that the Fast Company website had been hacked and that Fast Company’s Apple News account was temporarily suspended.

More information

Shortly after the breach came to light, Fast Company’s parent company, Mansueto Ventures, announced that it would also temporarily halt access to its Inc.com news website out of an “abundance of caution.”

Fast Company stated that it had previously endured an “apparently related” hack of its website on Sunday afternoon. At that point in time, similarly offensive language suddenly appeared on the company’s homepage, leading to a two-hour website shut down.

Closing thoughts

Insecure password practices or poor passwords are exploited in as many as 81% of cyber attacks worldwide. Be sure to reset default passwords, use complex passwords, implement a different password for every access point, and avoid sharing passwords across employee groups. Consider password managers, technology that blocks password reuse and enforce multi-factor authentication.

Discover more helpful password resilience insights here. For further details pertaining to this story, visit TechCrunch.com. Lastly, to receive cutting-edge cyber security news, interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.

Have your technology leaders featured on CyberTalk.org