HackerOne pays up after data incident

News
By published

Outside hacker was able to read customer bug reports after internal accident

(Image credit: Shutterstock)

The bug bounty platform HackerOne has paid a $20,000 bounty to an outside hacker after it accidentally gave them the ability to read and modify some of its customers bug reports.

It all began when the outsider, who is a HackerOne community member with a proven track record of finding vulnerabilities, was communicating with one of the company's security analysts. The HackerOne analyst sent the user, who goes by the handle haxta4ok00, parts of a cURL command.

However, the cURL command the analyst sent mistakenly included a valid session cookie which could be used by anyone who possessed it to read and even partially modify all of the data the analyst had access to.

Luckily HackerOne was able to quickly revoke the session cookie just two hours after haxta4ok00 first reported the incident.

Exposed data

At this time, HackerOne is not saying just how much data was exposed by the security analyst's mistake. In a recently published incident report though, the company said that all affected customers have already been notified privately.

The report also revealed that the exposed data was limited to reports the security analyst had access to. However, the disclosure does not even provide any clues as to how many customers or how much data was affected. A day after the incident occurred, HackerOne cofounder Jobert Abma wrote to haxta4ok00, saying:

“Something came up that we hadn’t asked you yet. We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?” 

Haxta4ok00 responded to this question by saying that he opened all of the reports and pages in order to “show the impact” and did not intend any harm to either HackerOne or its customers. This explanation wasn't enough for Abma who replied, saying: “This became a bigger incident due to the amount of data that you accessed, not because it happened in the first place.

Haxta4ok00 still received a bounty of $20,000 for his discovery while learning the valuable lesson that just because files have been accidentally made accessible to you, it doesn't mean you should open them. 

Via Ars Technica

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Latest in News
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
More about security
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Viggle

What is Viggle: everything you need to know about the AI animation tool and meme generator
See more latest
Most Popular
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras