HackerOne, a platform for vulnerability coordination and bug bounties, disclosed on Friday that a former employee of the company accessed security reports that were submitted to it in an improper manner for the purpose of obtaining personal gain.
According to what was written, "the person disclosed this vulnerability information anonymously outside of the HackerOne platform with the goal of claiming additional bounties." We were able to quickly identify the employee who was responsible for the breach and cut off their access to the company's data in fewer than twenty-four hours.
The employee, who had access to HackerOne systems for the purpose of triaging vulnerability disclosures associated with various customer programs between April 4 and June 23, 2022, has since been terminated by the company with headquarters in San Francisco as of June 30.
HackerOne described the incident as a "clear violation" of the company's values, culture, policies, and employment contracts. The company said it was made aware of the breach on June 22 by an unnamed customer who asked it to "investigate a suspicious vulnerability disclosure" via an off-platform communication from an individual with the handle "rzlr" who used "aggressive" and "intimidating" language. HackerOne called the incident a "clear violation."
After that, an investigation of the company's internal log data, which was being used to monitor employee access to customer disclosures, was able to trace the breach back to a dishonest employee who was attempting to re-submit duplicate vulnerability reports to the same customers who were utilizing the platform in order to receive monetary payouts.
HackerOne detailed the following information in a post-mortem incident report: "The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures." The company also mentioned that seven of its customers received direct communication from the threat actor.
"Following the trail of money, we were able to obtain confirmation that the threat actor's bounty was connected to an account that was used for the financial benefit of a former employee of HackerOne. Additional evidence linking the primary and sockpuppet accounts of the threat actor was uncovered through an analysis of the network traffic generated by the threat actor."
HackerOne further stated that it has individually notified customers about the exact bug reports that were accessed by the malicious party along with the time of access, while emphasizing that it found no evidence of vulnerability data being misused or other customer information being accessed.
In addition to that, the company mentioned that it plans to implement additional logging mechanisms to improve incident response, isolate data to reduce the "blast radius," and enhance processes that are already in place to identify anomalous access and proactively detect insider threats.
Post a Comment
Your suggestions and comments are welcome