
HackerOne breach lets outside hacker read customers’ private bug reports - migueldemoura
https://arstechnica.com/information-technology/2019/12/hackerone-breach-lets-outside-hacker-read-customers-private-bug-reports
======
AshwinDurairaj
I think this is a disproportionately negative title compared to what actually
happened, and solely for one word, "breach".

My opinion is that it conveys something more serious than a bug. Thousands of
secrets have been leaked on Github/Bitbucket, and we don't need to report
every single one as a "breach".

For instance many AWS credentials have been reported as being leaked on
HackerOne, but I don't see Ars writing an article for each one saying "X
company breach let's outside hacker have full access to X's infrastructure"

------
rvnx
The breach is here:
[https://hackerone.com/reports/745324](https://hackerone.com/reports/745324)

TL;DR: One user reported a bug to sign-in using cURL. HackerOne replied with
admin credentials (session) to show that login works.

Nobody noticed. One guy logged in, downloaded a significant amount of
sensitive data (private exploits!) and then told HackerOne. They give 20'000
USD to say nothing about it.

End of story.

