Fast Company Hacker on Rogue Apple News Notification: ‘Anyone Could Have Done It’

The hacker who breached news website Fast Company and used that access to push an offensive Apple News push alert to a massive number of users says they performed the hack to “embarrass” Fast Company.

The hacker, who goes by the handle thrax, also said that the hack itself was opportunistic and they didn’t specifically target Fast Company, at least initially, highlighting something that is sometimes missed in cybersecurity discussions: often, it does not entirely matter who you are, but if you are vulnerable, a hacker may exploit those weaknesses simply because they can.

“It's not every day that you get to click a button and send tens of thousands of people a notification straight to their phone. I don't know the statistic for this, but it was lots given what we've seen,” thrax told Motherboard in a direct message on a data trading website where they have an account.

On Tuesday, Fast Company sent an Apple News push notification that said “[racial slur] tongue my anus. Thrax was here.” Many articles on the Fast Company website were also changed to display a similar message, according to archives of the defacement on the Wayback Machine. For days after the hijacking, the Fast Company website has remained offline, with visitors unable to view its articles, a highly unusual scene even compared to earlier examples of defacements of news websites. At the time of writing, Fast Company has replaced its landing page with a statement which directs visitors to the company’s social media channels.

“The messages are vile and are not in line with the content and ethos of Fast Company. Tuesday's breach follows an apparently related event that occurred Sunday afternoon on FastCompany.com, when an unknown actor (or actors) posted similar language on the site's home page and other pages. Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down,” that statement reads.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

Thrax told Motherboard that they were “not surprised Fast Company’s website is still offline.” They said the hack started when they were browsing a website that displayed sites that had exposed credentials in public facing web pages. Those results included Fast Company and a range of other sites, thrax said. On the data trading platform, thrax has released an alleged set of more than 6,700 records that they say in an accompanying post is taken from Fast Company’s WordPress database, including password hashes for some users.

“I want to add that this was completely preventable; anyone could have done it and that anyone just ended up being me. It wasn't a sophisticated cyber attack from a foreign state and it didn't require ‘specialist skills’,” thrax added.

On the push notification specifically, thrax said “It could have been a hoax threat-to-life event, a hoax nuclear fallout, the hoax death of President Biden, a crypto scam or anything else which could have had the potential to shift markets. Instead, I chose to embarrass Fast Company.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.