"The threat actor then say they gained access to the WordPress CMS using a very easy default password that was used on 'dozens' of accounts"

https://www.bleepingcomputer.com/news/security/hacker-shares-how-they-allegedly-breached-fast-company-s-site/