Fast Company CMS Hack Raises Security Questions

The company's website remains offline after hackers used its compromised CMS to send out racist messages.

a screen capture of the company's website notice about being hacked
Source: Fast Company's website, captured by Tara Seals

Fast Company, the business-news publication, has taken its website offline after cyberattackers compromised its content management system (CMS). They used the access to send out two obscene and racist push notifications to its Apple News subscribers.

The incident follows a similar defacement attack on the homepage on Sunday, where the attackers posted similar language. The outlet replaced its website with a statement overnight on Tuesday, which remains in place at press time.

"The messages are vile and are not in line with the content and ethos of Fast Company," the company said in the notice. "Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."

The company is investigating the situation and working to clean the site, it said. While no details of the attack are yet available, James McQuiggan, security awareness advocate at KnowBe4, noted that the goal was clearly brand assassination, perhaps with a side of flexing.

"While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared," he said in an emailed statement.

Highlighting the Need for Better Security

Christopher Budd, senior manager of threat research at Sophos, tells Dark Reading that this is just latest example of an attack against PR and news infrastructure to deliver false information, with another recent example being a fake press release claiming Walmart was to begin accepting bitcoin.

The attack "highlights the fragility of PR and news infrastructure, and showcases how attacks like these could potentially be carried out for more malicious purposes that result in more dire consequences," he says. "Ultimately, this attack shows how news channels form a critical information infrastructure, and that this infrastructure should be secured in ways that match its criticality."

On a broader level, Jason Kent, hacker in residence at Cequence Security, suspects a credential-stuffing attack could be in play, indicating that the "credentials weren't terribly sophisticated and not backed up by multifactor auth or VPN requirements," he says.

"Credential-stuffing attacks are some of the most pervasive attacks we see on a daily basis," he adds. "Attackers attempt to guess passwords for valid accounts, and if they are successful the attacker will utilize the full permission of those credentials. Privileged access should be closely monitored as once the attacker has those, they will perform all manner of havoc."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights