Facebook malware leaks employees' usernames and passwords

Hacker discovers malware in "astounding" Facebook security breach

A hacker has discovered malware on a Facebook server that leaked employees' usernames and passwords.

The bounty hunter known by their pseudonym, Orange Tsai - broke into one of the social network's Linux-based servers, but found that another hacker had already installed malware that stole users' access details, sending them to a remote computer.

Advertisement - Article continues below

Tsai collected a $10,000 cheque for their discovery, with Facebook saying the bug was the work of another hacker also trying to collect a bounty from the social media giant.

Facebook's security engineer, Reginaldo Silva, posted in a forum to say: "The activity Orange detected was in fact from another researcher who participates in our bounty program.

"Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access."

Tsai explained that they gained access to the server via an internal Facebook domain called The Facebook Network (vpn.tfbnw.net), using an insecure file transfer server Accellion's Secure File Transfer.

Tsai discovered seven exploits in this file-share and sync tool, triggering them to take control of the server which was when they "found some strange things on web log", including PHP error messages.

Advertisement - Article continues below
Advertisement - Article continues below

I followed the PHP paths in error messages and ended up with discovering suspicious WEBSHELL files left by previous visitors'," they said.

Image courtesy of JD Lasica

One of these files stood out. "The hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while," Tsai said.

"The time I discovered these, there were around 300 logged credentials dated between February 1st to 7th, from February 1st, mostly "@fb.com" and "@facebook.com". Upon seeing it I thought it's a pretty serious security incident."

Tsai said they collected evidence of the hack and reported it to Facebook, collecting the $10,000 bounty.

Facebook's Silva added: "We're really glad Orange reported this to us. On this case, the software we were using is third party. As we don't have full control of it, we ran it isolated from the systems that host the data people share on Facebook."

Advertisement - Article continues below

Two-factor authentication firm SecureAuth's chief security architect, James Romer, said Facebook should not be relying on usernames and passwords for its employees.

"It's astounding that a company such as Facebook, which handles the details of millions of users worldwide, would still be relying on a username and password combination for employee logins when it's well known that this is not an adequate authentication method on its own," he said.

"This malware being installed in one of the most well-known organisations in the world is a hefty reminder yet again that businesses cannot rely on a simplistic approach to authentication."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

How to protect against a DDoS attack

25 Oct 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020