Fast Company took its website offline after its content management system (CMS) was hacked to display stories and push out Apple News notifications containing obscene and racist comments.
A “Breached” hacking forum member named 'Thrax' published a database dump with 6,737 employee records that include mails, password hashes for some of them and unpublished drafts.
They claimed that they were able to breach Fast Company after they discovered a WordPress instance used by the company for their website which was allegedly secured using HTTP basic authentication, which the attacker managed to bypass. From there, they gained access to the WordPress CMS using a very easy default password that was used on "dozens" of accounts.
This allowed them to steal Auth0 tokens, Apple News API keys, and Amazon SES secrets. Using these tokens, they claim to have created administrator accounts on the CMS systems, which were used to push out the notifications to Apple News.
Following the event, Fast Company seems to have been defaced once more, as claimed by another post on their website written by the threat actor, which detailed the attack sequence.