Fast Company suffered an internal breach that led to the defacement of the company’s main news site. The attacker also sent racist push notifications to Apple News users. 

In a statement, the U.S. business publication said that the threat actor breached the company’s content management system, which gave them access to its Apple News account. The attacker then used this system to send two “obscene and racist” push notifications to Apple News subscribers. It is not clear how many users received notifications before they were deleted. 

“The messages are vile and are not in line with the content and ethos of Fast Company,” Fast Company said. “We are investigating the situation and have shut down until the situation has been resolved.”

In a tweet, Apple confirmed that the website had been breached and had disabled Fast Company’s Apple News account. 

According to TechCrunch, the attacker posted an article that detailed how they were able to breach the organization, claiming that Fast Company used default passwords across several accounts, including administrator accounts. In an online forum, the attacker also said they’d release a database containing Fast Company employee records, including emails, passwords, and other information. 

The breach follows “an apparently related hack” of the company’s site, which occurred days before, in which offensive language appeared on the site’s homepage and other pages, TechCrunch reports. “We shut down the site that afternoon and restored it about two hours later,” the company added. “Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down.”

“While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared,” says James McQuiggan, security awareness advocate at KnowBe4. “These actions attempt to damage the victim’s brand and embarrass them publicly because they were attacked and compromised. Whether an organization has sensitive systems containing intellectual property, customer records, or a public-facing system like social media accounts, or API connections to third-party systems, it must be secured with strong, unique passwords and keys. Wherever possible, utilize a non-phishable MFA to ensure those connections are effectively secured.”