Facebook corporate network hack discovered by security researcher

Penetration testing unearths backdoor installed on Facebook’s company servers had been logging employee credentials and exposing security

Hackers gained entry to Facebook’s internal corporate network for several months, with access to hundreds of the social network’s employee usernames and passwords.

The hackers, which were actively exploiting Facebook’s network in July and September last year and possibly as recently as February this year, were discovered by a security researcher performing penetration testing on Facebook’s corporate network.

Having discovered seven security vulnerabilities with Facebook’s corporate tools, including a file transfer service, Devcore security researcher Orange Tsai found that at least one hacker, possibly two, had compromised Facebook and were operating within its corporate network.

Tsai said: “While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log.

“The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use [collect] every once in a while.”

a Facebook employee walks past a Facebook sign
Logged Facebook employee credentials could have given the hackers access to email accounts, Facebook’s virtual private network and other company tools. Photograph: Jonathan Nackstrand/AFP/Getty Images

According to Tsai, the logged Facebook employee credentials could have given the hackers access to email accounts, Facebook’s virtual private network and other company tools. Facebook user data is stored separately to its corporate network; it is unknown whether the right Facebook employee credentials could have given the hackers access to Facebook user data.

Tsai said: “At the time I discovered these, there were around 300 logged credentials dated between 1–7, from 1 February, mostly ‘@fb.com’ and ‘@facebook.com’. Upon seeing it I thought it was a pretty serious security incident.”

The penetration testing – a series of attempts by security researchers to find and report holes in a site or service’s cyber security – was conducted as part of Facebook’s Bug Bounty, which sees the social network pay people who find and disclose vulnerabilities to the company.

Facebook was alerted to the hack on 5 February by Tsai. The company launched an internal investigation, which concluded on 20 April, allowing Devcore to publish the details of the hack.

Commenting on Hacker News, a Facebook security team member called Reginaldo said: “On this case, the software we were using is third party. As we don’t have full control of it, we ran it isolated from the systems that host the data people share on Facebook. We do this precisely to have better security.

“We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure.”

Facebook has not responded to request for comment.


Samuel Gibbs

The GuardianTramp

Related Content

Article image
Oculus CEO is latest tech boss hacked in embarrassing account takeover
Boss of Facebook’s virtual reality headset business Brendan Iribe gets Twitter account hacked, putting him in good company as tech heads keep falling

HAL 90210

30, Jun, 2016 @10:24 AM

Article image
Facebook users inadvertently hack themselves while trying to hack friends
Users in India tricked into hacking their own Facebook accounts by a scam claiming to reveal the passwords of their friends. By Samuel Gibbs

Samuel Gibbs

02, May, 2014 @12:10 PM

Article image
A new colour for your Facebook profile? It's a scam
The ‘Facebook colour changer’ app has already hacked 10,000 people’s Facebook accounts, installing malicious software on their computers. By Samuel Gibbs

Samuel Gibbs

07, Aug, 2014 @10:47 AM

Facebook 'sexiest video' malware spreading virally, warn experts

Fake video installs adware – while Microsoft compares its Internet Explorer 6 to 'nine-year-old milk' and urges upgrade

Charles Arthur

17, May, 2010 @11:02 AM

Article image
Facebook calls for end to Flash as Firefox blocks it over hacking holes
Adobe’s Flash blocked by mainstream browser over critical security bugs actively exploited by hackers, as calls for its decommissioning rise

Samuel Gibbs

14, Jul, 2015 @9:51 AM

Article image
Twitter locks millions of accounts after passwords posted for sale
Social network responds to username and password leak by locking affected accounts after spate of hacks targeting Katy Perry, Mark Zuckerberg and NFL

Samuel Gibbs

10, Jun, 2016 @10:38 AM

Article image
European parliament approves tougher data privacy rules
‘Groundbreaking’ changes strengthen EU privacy protections, enshrine right to be forgotten and give regulators wide-reaching powers

Samuel Gibbs

14, Apr, 2016 @12:22 PM

Article image
Data regulators reject EU-US Privacy Shield safe harbour deal
Pan-European working party questions protection of EU citizens’ data from ‘massive and indiscriminate’ surveillance by US government

Samuel Gibbs and agencies

14, Apr, 2016 @9:19 AM

Kremlin was behind mass cyber assault, says Georgian critic

Blogger Cyxymu says denial-of-service strike an attempt to silence his criticism of Russia's conduct over South Ossetia

Tom Parfitt in Moscow and Sam Jones

07, Aug, 2009 @5:25 PM

Twitter, Facebook, Google and LiveJournal under attack

Source of strikes that affected hundreds of millions of users remains mystery

Bobbie Johnson, technology correspondent

06, Aug, 2009 @9:26 PM