A security researcher who managed to hack through the security of one of Facebook’s corporate networks said he found evidence of another hacker having been there too, and having installed a backdoor to steal employees’ credentials.
Penetration tester Orange Tsai, of Taiwanese cybersecurity firm Devcore, said the other hacker had set up a tool to collect and exfiltrate Facebook employees’ usernames and passwords as they logged in.
He himself got in by exploiting vulnerabilities in third-party software, from a company called Accellion, that is used for file transfers.
Tsai reported the vulnerabilities and his findings to Facebook, and got paid $10,000 under the company’s “Bug Bounty” scheme.
On Hacker News, a member of Facebook’s security team thanked Tsai and claimed the other hacker in question was also a well-meaning individual trying to collect money under Facebook’s bug-hunting program.
“Neither of them were able to compromise other parts of our infrastructure so, the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access,” Reginaldo Silva wrote.
Silva also said that, because it had been using third-party software that it could not control, it had run the software “isolated from the systems that host the data people share on Facebook.”
“We do this precisely to have better security,” he noted.
Facebook had not responded to a request for comment at the time of writing.
This article originally appeared on Fortune.com
More Must-Reads from TIME
- Why Trump’s Message Worked on Latino Men
- What Trump’s Win Could Mean for Housing
- The 100 Must-Read Books of 2024
- Sleep Doctors Share the 1 Tip That’s Changed Their Lives
- Column: Let’s Bring Back Romance
- What It’s Like to Have Long COVID As a Kid
- FX’s Say Nothing Is the Must-Watch Political Thriller of 2024
- Merle Bombardieri Is Helping People Make the Baby Decision
Contact us at letters@time.com