- A bug hunter looking for vulnerabilities on Facebook’s server in February found a backdoor previously installed by hackers, according to a Computerworld report.
- Orange Tsai, a bug hunter and consultant for penetration testing company Devcore, found a PHP-based backdoor on software from Accellion, which Facebook employees used to share files and collaborate.
- The vulnerability allowed hackers to "execute shell commands on the server and to upload files," the report said.
Tsai reported the vulnerability to Facebook and in turn the company awarded him a $10,000 bug bounty. "At the time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, mostly '@fb.com' and '@facebook.com.' Upon seeing it I thought it’s a pretty serious security incident," Tsai said, in a blog post last week.
Reginaldo Silva, a member of Facebook's security team, was quick to downplay the incidents and said in a post that neither the malicious hackers or Tsai had been able to access other parts of the company's infrastructure, according to a Fortune report. Because it was a third-party software, Facebook had run it isolated from systems that contain "data people share on Facebook," Silva wrote.
The hackers that installed the backdoor reportedly downloaded the captured credentials and also regularly deleted the file containing the data. There was also evidence that they tried to map Facebook's internal network, log into other servers and search for SSL private keys.
The system was clearly operated by the hacker in the beginning of July as well as in September, Tsai said.
The incident demonstrates the sophistication of today’s hackers. Even companies with the strictest security have become victims of stealth attacks in recent months. In April, the FBI sent out a warning that a group of hackers "have compromised and stolen sensitive information from various government and commercial networks" since at least 2011.