• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
hackerone employee caught stealing vulnerability reports for personal gains

HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains

You are here: Home / General Cyber Security News / HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains
July 4, 2022

Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a previous staff at the agency improperly accessed security reports submitted to it for individual acquire.

“The person anonymously disclosed this vulnerability info outside the house the HackerOne platform with the aim of boasting additional bounties,” it said. “In below 24 several hours, we worked promptly to incorporate the incident by pinpointing the then-personnel and reducing off access to data.”

The employee, who had access to HackerOne methods concerning April 4 and June 23, 2022, for triaging vulnerability disclosures related with unique purchaser plans, has considering that been terminated by the San Francisco-headquartered business as of June 30.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Contacting the incident as a “distinct violation” of its values, lifestyle, policies, and work contracts, HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to “look into a suspicious vulnerability disclosure” by way of an off-platform conversation from an particular person with the handle “rzlr” making use of “intense” and “scary” language.

Subsequently, analysis of inside log details used to watch employee access to buyer disclosures traced the publicity to a rogue insider, whose target, it famous, was to re-post copy vulnerability reviews to the exact same prospects using the system to acquire financial payouts.

“The menace actor produced a HackerOne sockpuppet account and experienced acquired bounties in a handful of disclosures,” HackerOne detailed in a article-mortem incident report, including seven of its clients obtained immediate interaction from the threat actor.

“Adhering to the money trail, we gained affirmation that the threat actor’s bounty was linked to an account that economically benefited a then-HackerOne worker. Assessment of the threat actor’s network site visitors supplied supplemental proof connecting the danger actor’s principal and sockpuppet accounts.”

CyberSecurity

HackerOne more reported it has individually notified clients about the exact bug reviews that ended up accessed by the malicious party alongside with the time of accessibility, although emphasizing it uncovered no proof of vulnerability data obtaining been misused or other buyer data accessed.

On major of that, the corporation famous it aims to carry out more logging mechanisms to increase incident reaction, isolate details to cut down the “blast radius,” and improve processes in location to recognize anomalous access and proactively detect insider threats.

Discovered this post exciting? Abide by THN on Fb, Twitter  and LinkedIn to read much more exceptional information we post.


Some parts of this report are sourced from:
thehackernews.com

Previous Post: «what is the eu’s digital operational resilience act (dora)? What is the EU’s Digital Operational Resilience Act (DORA)?
Next Post: Universities are fighting a cyber security war on multiple fronts universities are fighting a cyber security war on multiple fronts»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.