Bug Bounty Blackmail

Next story


At the end of January it was reported that 20 million usernames and email addresses had been stolen from Russian dating website Topface. It now appears that after trying and failing to sell the details, the hacker in question has been offered a “bug bounty” by the site.

At first this very much appeared to be a standard breach, the kind that we have unfortunately gotten used to seeing over the past few months.

That was until I read an article from The Register. Which describes how the hacker, known as “Mastermind”, attempted to sell the stolen bounty of credentials via an online black market, failed to do so and was subsequently offered the “bug bounty” if he agreed not to release the information.

Following along so far? It instantly strikes me as simple extortion: “Mastermind” tries to sell his ill-gotten gains, fails, and then gets paid not to release those stolen credentials and plug Topface’s leaks. But is it that simple? Mark James, ESET security specialist, answers my questions.

Extortion or Bug Bounty

Bug Bounties have become a quite common practice of late and there are whole conventions devoted to hacking and reporting holes in all sorts of systems. I covered a story on the large amount of money that League of Legends forks over to its bug bounty hunters.

“This is a difficult one to categorise,” Mark explains. “One side of me is shouting “don’t give in to blackmail”, the other side is shouting “but he found a bug/vulnerability, it needs reporting and a just reward offered”.

“Where it fails for me is the statement that “he attempted to sell some online” then when that failed contacted the company and was given a bounty, surely if he stole the data and offered it for sale then any bounty should be null and void?

“This is very different than finding a problem and contacting the site owner immediately with an offer of a bounty and moving on from there.”

I couldn’t agree more but the most worrying thing is that this could become the norm: holding information hostage and extorting money from the owner.

Data Held Hostage

“This could indeed be construed as an acceptable way to deal with hacking,” Mark continues. “Let’s not lose sight of what happened: he stole data and attempted to sell it. If hackers see this as a way out to justify their offences we could see more and more companies being targeted and held to ransom *IF* they don’t manage to sell the data on the black market.”

Mark added that he hopes “that most companies would take the proper approach and trawl through their logs, find and repair the point of entry and pay NO reward for stealing data.”

Even if the hacker in question does manage to extort a bug bounty from a company, is there actually anything stopping them selling the data sometime down the line?

“It would appear only to be a verbal or written contract and surely that’s only as binding as the morals of the person adhering to it: who in this case is a hacker that tried to steal data and sell it on the black market…”

Mark concludes: “Don’t get me wrong, I fully support the correct methods of bug bounty’s providing they are done in the right manner. Anything that helps tighten security of my private data has to be a good thing but surely we need to start on the right foot in the first place?”

Join our LinkedIn Group and stay up to date with the blog.

Extortion or legitimate bug bounty, your thoughts? Did Topface really have any other choice? Does that make it right?