Security researcher uncovers Facebook hack

26 Apr 2016

Hackers gained entry into Facebook's internal corporate network for several months, and had access to hundreds of the social network's employee usernames and passwords.

The hackers had exploited Facebook's network in July and September last year and possibly also in February this year, but a security researcher performing penetration testing uncovered their tracks on Facebook's corporate network.

Devcore security researcher Orange Tsai uncovered seven security vulnerabilities with Facebook's corporate tools. This included a file transfer service that at least one hacker, possibly two.

Tsai said, ''While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log," The Guardian reported.

''The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use [collect] every once in a while.''

He added, the logged Facebook employee credentials could have given the hackers access to email accounts, Facebook's virtual private network and other company tools.

Facebook user data was stored separately to its corporate network; and it was not known whether the right Facebook employee credentials could have given the hackers access to Facebook user data.

Tsai said: ''At the time I discovered these, there were around 300 logged credentials dated between 1–7, from 1 February, mostly '@fb.com' and '@facebook.com'. Upon seeing it I thought it was a pretty serious security incident.''

The revelations came from Facebook's Bug Bounty programme under which the social network pays people who find and disclose vulnerabilities to the company. Security researchers attempt to find and report holes in a site or service's cyber security as part of the programme.

Tsai alerted the social network to the hack on Facebook was alerted to the hack on 5 February after which it launched an internal investigation, which concluded on 20 April. The conclusion allowed Devcore to publish the details of the hack.