Hello all,

Today I am releasing the FastCompany.com database.

According to Fast Company themselves, they are "the world’s leading business media brand, with an editorial focus on innovation in technology, leadership, world changing ideas, creativity, and design." Apparently changing the world and innovating involves leaving your database credentials open to the public.

I am releasing 6,737 employee records from their WordPress database, among other things such as posts (including unpublished drafts), configurations, and more. We were not able to gain access to customer records as these were likely stored in another database. The data includes emails, password hashes for some users (WordPress format), and a few other things. Hell, I think there's some Auth0 shit hidden somewhere if you want to do anything with that.

The fun came from defacing it ( https://web.archive.org/web/20220925222200/https://www.fastcompany.com/ ) and seeing various bots on Twitter send out profanity ( https://twitter.com/AlchemyCrewLtd/status/1574163471649873923 )

Have fun. Not many records, but it's the best I was able to do with the access that I found.

Good shit. Sad you weren't able to get access to customer DB though, would've been a really good dump.

Some of the shit in here might be interesting. Let's see what happens with this.

no credit lol

Wow, Fast Company. Despite the public defacement of your site, which boasts millions of visitors, all you did was hastily change your database credentials, disable outside connections to the database server, and fix the articles. What an absolute disgrace of a news source, and one that I would personally avoid due to how little they care about user security. This went from some random bullshit we found while fucking around, to what will hopefully be a laughing stock for security experts across the world.

The articles are written through a WordPress instance hosted at wp.fastcompany.com - which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication. Thankfully, Fast Company had the ridiculously easy default password of "pizza123" on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily. We were able to exfiltrate a BUNCH of sensitive stuff through there - Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc. We also found a HTTP basic auth username/password, which happened to work for wp.fastcompany.com, meaning we didn't have to go through hell to access it anymore. We also found a Slack webhook, which we could've used to pull some bullshit, but we didn't want to bother.

Remember the Auth0 I just talked about earlier? Well, they had an access token in WordPress that allowed us to not only grab the email addresses, usernames, and IPs of a bunch of employees, but also create our own account that we gave admin privileges to two portals: Wonton (wonton.fastcompany.com) and the management portal (manage.fastcompany.com). manage.fastcompany.com was under HTTP auth as well, under the exact same username and password as wp.fastcompany.com (in fact, this site is what the credentials were originally for). Once we logged in with our account (which they still haven't deleted after days, by the way), and basically let us do a fuck ton of funny shit such as push notifications to Apple News users, mess with the site, and much more. Wonton was fairly boring, just listing a bunch of bullshit that they hadn't used since 2020-2021.

TLDR: Fast Company can't even keep their security straight and did way too little to respond to this situation. Don't trust them (or "Inc.", they're owned by the same company Mansueto) with your viewership.

Also, niggers tongue my anus. (-;

thrax WWW WW WWW

big w thrax

Hacked by @post

HACKED BY VINNY TROIA. NIGGERS TONGUE MY ANUS. THRAX WAS HERE.

You know it's 2022 when news outlets are more concerned about my use of the word "nigger" than the fact that this company was hacked with the potential of user data being compromised.

Now I'm just saying, I would not have had the opportunity to use the word "nigger" in an announcement sent to your subscribers en masse if you had taken steps to secure your site properly.

hi mental outlaw sup

(September 28, 2022, 03:59 AM)gulag Wrote: hi mental outlaw sup

hi mutahar sup