>I am releasing 6,737 employee records from their WordPress database, among other things such as posts (including unpublished drafts), configurations, and more. We were not able to gain access to customer records as these were likely stored in another database. The data includes emails, password hashes for some users (WordPress format), and a few other things. Hell, I think there's some Auth0 shit hidden somewhere if you want to do anything with that.
>The articles are written through a WordPress instance hosted at wp.fastcompany.com - which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication. Thankfully, Fast Company had the ridiculously easy default password of "pizza123" on a dozen accounts, including an administrator account (sorry Amy!), so we got in there really easily. We were able to exfiltrate a BUNCH of sensitive stuff through there - Auth0 tokens, Apple News API keys, Amazon SES secrets (we could literally send email as any @fastcompany.com email with this access), etc. We also found a HTTP basic auth username/password, which happened to work for wp.fastcompany.com, meaning we didn't have to go through hell to access it anymore. We also found a Slack webhook, which we could've used to pull some bullshit, but we didn't want to bother.
>Remember the Auth0 I just talked about earlier? Well, they had an access token in WordPress that allowed us to not only grab the email addresses, usernames, and IPs of a bunch of employees, but also create our own account that we gave admin privileges to two portals: Wonton (wonton.fastcompany.com) and the management portal (manage.fastcompany.com). manage.fastcompany.com was under HTTP auth as well, under the exact same username and password as wp.fastcompany.com (in fact, this site is what the credentials were originally for). Once we logged in with our account (which they still haven't deleted after days, by the way), and basically let us do a fuck ton of funny shit such as push notifications to Apple News users, mess with the site, and much more. Wonton was fairly boring, just listing a bunch of bullshit that they hadn't used since 2020-2021.
>The articles are written through a WordPress instance hosted at wp.fastcompany.com - which we found the origin IP of and totally bypassed the HTTP basic auth, leaving us with only WordPress authentication.
Unfathomable that a publication the size of Fast Company had their wp-admin login open to the world. Locking that down is literally security priority #1 for every single new WP installation.
Fast Company used to be awesome to read back in the dot-com era, like an earlier version of TechCrunch (also formerly great). Back when the Internet was young and anything was possible.
What happened to these startup-covering sites? Where did they go wrong (or did they), and are there any replacements?
Are successive $100M Series Z rounds from PE funds somehow more interesting than pre-seed investments in scrappy startups?
The same advertising apocalypse that wiped out the early dot coms took out most of the media covering technology (Internet World, Red Herring, etc). Fast Company and Wired went from 100+ pages to really, really thin magazines from 2000 to 2001.
Given the combination of wide spread ad blocking and reluctance to pay for subscriptions, why would anyone set their money on fire to cover startups today?
And really a lot of journalism generally. Lots of people here are very proud of all the ad-blocking tech they use and are happy with maybe dropping a few digital dimes on a substack or two. But people, including those who could afford to do so, won't pay for journalism for the most part.
You can frame it like that, but ad blocking was a response to internet advertising ridiculousness. You can't blame consumers because publishers poisoned the well.
Money is an issue, but not the main one. When "The Message" is more important than anything else, people eventually tune out.
Same thing is happening with Hollywood and that has little to do with money - at least as far as production. "The Message" is more important than solid storytelling so people are checking out.
Seems to me the way out is to get back to basics. Stuff your opinions and indoctrination and just report the facts or tell a good story. Guess these industries will have to totally collapse before they reset back to something more reasonable. Oh well.
Not entirely sure this is avoidable with multicast media that must be self-funding.
You end up with perverse incentives left and right when you make media primarily a for-profit venture.
Herman/Chomsky's propaganda model - essentially. There's no way to "just report the facts or tell a good story" when the primary motive is profit-seeking.
I think you got it backwards. The media products are about "The message" because it sells. Even the fact that right wing pundits go batshit crazy about it in Twitter is a win.
When it stops selling, it'll die down. These US media companies are very simple minded.
And it ends up being self-perpetuating. You mostly don't have newsrooms any longer and much of the reporting is being done by young people earning pennies. Which makes quality even worse, so less money for decent journalism, rinse and repeat.
There is a fair bit of decent material out there but you have to seek it out to some extent. And most people still won't pay. You may not like The Economist for whatever reason but you can't really argue it's not good journalism.
I mentioned The Economist. I think The New York Times is pretty decent as well. For technology news, I don't think there's a single magazine source though Technology Review isn't bad for a broader view. I'm not sure there are any good business magazines these days though some sites are better than others. Individual columnists and newsletters like Levine.
The New York Times is a shell of it's former self and no longer really practicing objective journalism as far as I can tell.
Journalism is very nearly dead.
The only information sources I find worth my time these days are a very short list of blogs, YouTube (almost entirely on Lex Fridman's channel) and random links found here on HN.
Of course people were complaining about perceived political biases at papers like the Times decades ago. I don’t much care for Fridman’s interview style specifically but interviews can be a good source of info although they’re not really investigative journalism in general. Thought can be with the right topic and interviewer.
Of course many would argue that even journalism of the 60s or so mostly represented a very Ivy League east coast view of the world.
That’s very much a reaction to no one paying is it not? I remember journalism having been much better before online advertising came in and hollowed them out.
My guess is the economics of news on the internet were unknown at the time, so people invested in it (willing to eat losses in short term) thinking ad supported news could take off and paid for quality journalism. Now no one is that naive and we have just clickbait factories.
Another possibility is due to success of newspapers, the craft of journalism was still known and practiced with skill, these days it's basically just fresh college grads without any on the job training cranking out stuff they read on social media and whatever a PR rep emails them that morning. But that's also related to the economics.
I don’t know if it would have made a real difference in the end but in spite of some dissenting voices the news industry of the dot com era opened everything up and collectively decided they’d deal with the economics later.
They’re lucky the breacher used such obscene and racist terms so they can complain about that and not draw any attention to using identical easy passwords on various aspects of the site.
If the details I saw are correct they did pretty bad initial response, too.
That's a great point I hadn't considered. I guess they are redirecting all pages to this announcement and, by using a 503, the search results will not be impacted.
How would that work for chat programs? I mean maybe Apple News could implement that but as far I know normal push notifications have no concept of filtering like that. I don't think pushes are E2E (they can't be, we send them as plain text to the APN endpoints) so Apple could filter but that seems more trouble than it's worth.
They clearly didn't have even a basic one, considering the racist word. Implementing one may be relatively ineffective because if you get blocked you just change up the word by adding spaces, characters, unicode, etc. Clbuttic scenario problem.
I'm fairly certain I've heard of Firebase Cloud Messages simply refusing push notifications with bad words, which had some ramifications for non-English languages.
I don't understand why they are apologizing for the racist messages that got posted on their site. They were hacked. We get it, obviously they did not post the messages. Seems to me they should be more sorry to all their users and customers whose data was compromised.
What does this have to do with marketing or martech? My guess is their content management system was breached, allowing the attackers to publish whatever they wanted.
First time I’ve heard “martech” used. Reading these comments, it seems like “martech” consists of email spam and content management systems. Cool, but I don’t see any differentiator between martech and regular old tech that justifies the existence of martech as a term.
If I gained control of a news outlet I would use it to spread false rumours, after taking appropriate positions in the market. Why do hackers waste these opportunities in favour of childish pranks?
I imagine that would exponentially increase potential punishments, since "real" money is involved there. I agree though, that would be more interesting, haha.
Initially read the title as shut down for good.