Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain.
“The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties,” it said. “In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data.”
The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the San Francisco-headquartered company as of June 30.
Calling the incident as a “clear violation” of its values, culture, policies, and employment contracts, HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to “investigate a suspicious vulnerability disclosure” through an off-platform communication from an individual with the handle “rzlr” using “aggressive” and “intimidating” language.
Subsequent analysis of internal log data used to monitor employee access to customer disclosures traced the exposure to a rogue insider, whose goal, it noted, was to re-submit duplicate vulnerability reports to the same customers using the platform to receive monetary payouts.
“The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures,” HackerOne detailed in a post-mortem incident report, adding seven of its customers received direct communication from the threat actor.
“Following the money trail, we received confirmation that the threat actor’s bounty was linked to an account that financially benefited a then-HackerOne employee. Analysis of the threat actor’s network traffic provided supplemental evidence connecting the threat actor’s primary and sockpuppet accounts.”
HackerOne further said it has individually notified customers about the exact bug reports that were accessed by the malicious party along with the time of access, while emphasizing it found no evidence of vulnerability data having been misused or other customer information accessed.
On top of that, the company noted it aims to implement additional logging mechanisms to improve incident response, isolate data to reduce the “blast radius,” and enhance processes in place to identify anomalous access and proactively detect insider threats.