Facebook malware leaks employees' usernames and passwords

Hacker discovers malware in "astounding" Facebook security breach

A hacker has discovered malware on a Facebook server that leaked employees' usernames and passwords.

The bounty hunter known by their pseudonym, Orange Tsai - broke into one of the social network's Linux-based servers, but found that another hacker had already installed malware that stole users' access details, sending them to a remote computer.

Tsai collected a $10,000 cheque for their discovery, with Facebook saying the bug was the work of another hacker also trying to collect a bounty from the social media giant.

Facebook's security engineer, Reginaldo Silva, posted in a forum to say: "The activity Orange detected was in fact from another researcher who participates in our bounty program.

Advertisement - Article continues below
Advertisement - Article continues below

"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

Tsai explained that they gained access to the server via an internal Facebook domain called The Facebook Network (vpn.tfbnw.net), using an insecure file transfer server Accellion's Secure File Transfer.

Tsai discovered seven exploits in this file-share and sync tool, triggering them to take control of the server which was when they "found some strange things on web log", including PHP error messages.

I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous visitors'," they said.

Image courtesy of JD Lasica

One of these files stood out. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.

Advertisement - Article continues below

"The time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly "@fb.com" and "@facebook.com". Upon seeing it I thought it's a pretty serious security incident."

Tsai said they collected evidence of the hack and reported it to Facebook, collecting the $10,000 bounty.

Facebook's Silva added: "We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook."

Two-factor authentication firm SecureAuth's chief security architect, James Romer, said Facebook should not be relying on usernames and passwords for its employees.

Advertisement - Article continues below

"It's astounding that a company such as Facebook, which handles the details of millions of users worldwide, would still be relying on a username and password combination for employee logins when it's well known that this is not an adequate authentication method on its own," he said.

"This malware being installed in one of the most well-known organisations in the world is a hefty reminder yet again that businesses cannot rely on a simplistic approach to authentication."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019

How to protect against a DDoS attack

25 Oct 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020