A hacker breached Fast Company's Apple News account and sent obscene push notifications to users' home screens on Tuesday night.
US business publication Fast Company confirmed the hack on social media, saying a threat actor breached the company's content management system (CMS) and used this access to send two "obscene and racist" push notifications to Apple News subscribers.
"The messages are vile and are not in line with the content and ethos of Fast Company," the firm wrote in a press statement last night. "We are investigating the situation and have shut down FastCompany.com until the situation has been resolved."
The publication also said that the breach is related to the hack of its website on Sunday afternoon when similar language appeared on the site's homepage and other pages. In that case, the company shut down the site but restored it two hours later.
Apple addressed the situation in a tweet in the early morning hours, confirming that the Fast Company website had been hacked and that Apple had suspended the publication's Apple News account.
"An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel."
Before the website was taken offline, the hacker responsible for the breach, who identifies as 'Thrax,' reportedly posted an article on the site that detailed how they were able to infiltrate the publication.
The post claimed Fast Company had a "ridiculously easy" default password used across several accounts, including an admin one. The threat actors would have then used the breached account to access authentication tokens and Apple News API keys, among others.
"Typically, when obscene messages or tweets are published within a hack, the finger usually points at young behavior in its juvenile sentiment," Jake Moore, global cybersecurity advisor at ESET, told Infosecurity Magazine. "However, the bigger picture lies with bigger potential implications."
In fact, the hacker would have then posted on BreachForums, the same platform at the center of the Optus breach, saying they were releasing a database containing 6737 Fast Company employee records.
"If thought to have been used for the administrator account also, then this could have been extremely damaging," Moore added. "Hopefully, this will act as yet another reminder to all companies using multiple tools to use unique passwords."
At the time of writing, the Fast Company website remains down. It is also unclear when and if Fast Company's channel on Apple News will be reinstated.