A former employee at HackerOne used their access to sensitive information at the bug bounty platform to generate personal profits, the firm has revealed.
The unnamed individual’s system access was terminated just 24 hours after a tip off from a customer revealed they had “improperly accessed information in clear violation of our values, our culture, our policies, and our employment contracts.”
The firm analyzed internal logs and found that the then-employee, who had access to HackerOne systems between April 4 and June 23 2022, contacted seven customers in an effort to make some extra money off resubmitted vulnerability disclosures.
“The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures. After identifying these bounties as likely improper, HackerOne reached out to the relevant payment providers, who worked cooperatively with us to provide additional information,” HackerOne explained.
“Following the money trail, we received confirmation that the threat actor’s bounty was linked to an account that financially benefited a then-HackerOne employee. Analysis of the threat actor’s network traffic provided supplemental evidence connecting the threat actor’s primary and sockpuppet accounts.”
The firm removed the employee’s HackerOne accounts, terminated their employment and is currently considering whether to refer the case to the authorities for criminal prosecution.
The former insider, who went by the handle “rzlr” in communications with customers, is said to have used “intimidating” language with them when anonymously disclosing vulnerabilities that had already been found and disclosed.
A study last year found that a third (33%) of reported data breaches involved someone with authorized access to the impacted data, although in most cases, this led to unintentional data loss rather than deliberately malicious activity.
