Back to all insights
Picture of Shane Brown

Shane Brown

When the Hacker Hacked the Hackers

When the Hacker Hacked the Hackers: The HackerOne Session Cookie Incident

On November 24, 2019, a bug bounty hunter made a discovery that turned hacker-powered security on its head. They accidentally gained access to HackerOne itself.

The vulnerability disclosure platform had paid out over 62 million dollars to ethical hackers worldwide. They protected clients like the U.S. Department of Defense, Twitter, and PayPal. Now they faced their own security incident.

The twist? The person who found it did exactly what HackerOne teaches: report first, exploit never.

The Accidental Breach

A researcher known as haxta4ok00 was messaging with a HackerOne security analyst about a separate bug report. The analyst made a critical mistake. They copied a cURL command directly from their browser console and pasted it into the conversation without sanitizing it first.

Buried within that command was something valuable. A valid session cookie.

What Is a Session Cookie Attack?

Session cookies are small pieces of data that web applications use to remember authenticated users as they navigate from page to page. Think of them as temporary digital keys. Once you log in, your browser stores a session cookie so you don’t have to re-enter your password every time you click a link.

The problem? Anyone who obtains that cookie impersonates you. No password required.

This is session hijacking. Attackers typically steal session cookies through malware, cross-site scripting, or man-in-the-middle attacks on unsecured networks. In this case, the cookie was handed over by accident during a routine support conversation.

The session cookie had been generated after the HackerOne analyst went through multi-factor Single Sign-On. This gave it access to all platform features, including all vulnerability reports that analyst was authorized to support.

The Scope of Access

Using the leaked session cookie, haxta4ok00 accessed a troubling amount of sensitive information. Through HackerOne’s internal GraphQL-powered interfaces, the researcher saw:

  • Report titles and metadata from HackerOne customer programs, including private bug bounty programs never publicly disclosed
  • Full report contents when accessing individual vulnerability reports
  • Up to 100 reports at a time through the Triage inbox interface

The data exposure was limited to what that specific security analyst accessed. But it still represented a significant breach. According to HackerOne’s public disclosure, less than 5 percent of programs on the platform were affected.

The implications were staggering. The compromised reports included undisclosed vulnerabilities in systems belonging to major corporations and government agencies. If someone with malicious intent had obtained this access, they could have harvested zero-day vulnerabilities and sold them on dark web markets for enormous sums.

The Critical Decision

At this point, haxta4ok00 faced a choice.

The researcher could have quietly exploited the access, downloaded the vulnerability reports, and walked away with information worth potentially millions of dollars on underground markets.

Instead, at 5:08 AM Pacific time on November 24, 2019, haxta4ok00 submitted a report to HackerOne’s own bug bounty program.

The message, written in imperfect English, read: “HackerOneStaff Access. I read all reports @security and more program.”

The researcher added: “I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once.”

The Response

HackerOne’s security team noticed the report two hours after it was submitted. At 7:11 AM Pacific time, the company revoked the compromised session cookie, rendering it useless to anyone attempting to use it.

The incident response team immediately launched a comprehensive investigation to determine the scope of the breach, which customers were affected, and whether the researcher had acted with malicious intent. The investigation concluded on November 26, 2019.

All affected customers were privately notified within 24 hours of the initial report.

The Uncomfortable Questions

As the investigation progressed, HackerOne’s leadership became concerned about one specific detail. Haxta4ok00 had opened and viewed a significant number of reports, far more than would have been necessary to verify access to the analyst’s account.

Jobert Abma, co-founder of HackerOne, reached out directly to the researcher: “We didn’t find it necessary for you to have opened all the reports and pages in order to validate you had access to the account. Would you mind explaining why you did so to us?”

Haxta4ok00’s response was candid: “I did it to show the impact. I didn’t mean any harm by it. I reported it to you at once. I was not sure that after the token substitution I would own all the rights. I apologize if I did anything wrong. But it was a white hack.”

This exchange highlighted a gray area in ethical hacking: how much probing is acceptable when you’ve discovered unauthorized access? In traditional penetration testing, security professionals are trained to demonstrate “proof of concept” by showing the full extent of what an attacker could accomplish. But when that access is gained accidentally and without explicit authorization, the ethical boundaries become murkier.

HackerOne ultimately determined that haxta4ok00 had acted without malicious intent and had been fully transparent about the information accessed. The company awarded a 20,000-dollar bounty for the discovery. The bug was rated “High severity” with a CVSS score of 8.3, but HackerOne treated it internally as “Critical.”

The company also issued a warning: “During our Incident Response process, we noticed that a few reports were accessed after you submitted the report to us. Although we understand why you did so, we’d like to stress that this behavior may disqualify you from a bounty in the future.”

The Root Cause and the Fix

The immediate cause of the breach was clear: human error. The security analyst had accidentally shared sensitive data in what they believed to be a harmless support conversation.

The deeper issue was that HackerOne’s platform did not implement additional technical defenses to prevent session cookies from being reused in different contexts. The application allowed session cookies to work from any location and any device. This was a deliberate decision to avoid degrading the user experience for researchers who work from mobile connections, public Wi-Fi, or through VPNs and proxies.

This is a classic security trade-off: convenience versus protection.

In response to the incident, HackerOne implemented several immediate and long-term security measures:

Session Binding to IP Address: User sessions were bound to the specific IP address used during initial sign-in. If someone attempts to use a session cookie from a different IP address, the session automatically terminates.

Geographic Restrictions: HackerOne began blocking access from certain countries on a restricted list, preventing session cookies from being used in those locations.

Improved Incident Response: The company updated its protocols to page the on-call security person immediately when a critical report is submitted, ensuring faster response times.

Bug Bounty Policy Update: HackerOne revised its bug bounty program policy to explicitly outline actions that should be taken if a researcher gains access to a HackerOne account, sensitive keys, or sensitive data.

Enhanced Logging: The company committed to improving its logging capabilities around data access, allowing for faster and more comprehensive incident response in the future.

Sensitive Data Detection: HackerOne implemented systems to detect and automatically redact sensitive data, including cookies, session tokens, and authentication keys, from user comments and communications.

The Industry Reaction

The cybersecurity community’s response to the incident was mixed. Many praised HackerOne’s transparency while also questioning why basic security measures hadn’t been in place from the start.

Graham Cluley, a well-known security analyst, described the incident as “sloppy” in a blog post, noting that “a simple human error potentially put other companies’ bugs in danger of being exposed.”

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, was even more pointed: “It is quite surprising that the security measures, now announced by HackerOne, were not implemented before, given that some of them are of a fundamental and indispensable nature.”

He added a darker warning: “In the near future, attackers will consider targeted attacks against crowd security testing platforms. This incident will serve as a catalyzer after disclosing how many unprecedented opportunities cybercriminals may get by breaching one single privileged account.”

The Larger Lesson

The HackerOne incident reveals a fundamental paradox in modern cybersecurity: the platforms we trust to protect us become attractive targets themselves.

Bug bounty platforms like HackerOne, Bugcrowd, and others serve as centralized repositories for some of the internet’s most sensitive information. Detailed instructions on how to break into systems that protect millions of users. This creates what security professionals call “concentration risk”: putting all your eggs in one basket makes that basket extremely valuable to attackers.

But the most inspiring part of this story isn’t the vulnerability itself. It’s what happened after it was discovered.

Haxta4ok00 could have weaponized the access, sold the data, or quietly exploited it for personal gain. Instead, the researcher did exactly what the ethical hacking community advocates: report first, ask questions later, and trust the process.

This incident demonstrates why responsible disclosure policies matter, why bug bounty programs work, and why building trust between security researchers and organizations is essential to keeping the internet safe.

As HackerOne itself noted in its incident report: “This was a vulnerability reported through HackerOne’s own bug bounty program by an active HackerOne hacker community member and was safely resolved.”

The Final Takeaway

When haxta4ok00 discovered that door left open, the researcher faced a test that happens in quiet moments, late at night, when no one is watching. The choice to report instead of exploit reflects the values that separate white-hat hackers from criminals.

The story also offers a cautionary tale for security professionals everywhere: even platforms built to find vulnerabilities have blind spots. Human error is inevitable. The question is whether your systems are designed to catch those errors before they become disasters.

Transparency and trust are the immune system of the internet. HackerOne could have buried this incident, issued vague statements, or blamed the researcher for looking too close. Instead, they published a detailed incident report, awarded a bounty, and implemented systemic fixes. They turned a moment of vulnerability into a case study in responsible disclosure.

Stories like haxta4ok00’s remind us why we do this work: not for the exploits, but for the defense. Not for the access, but for the protection. Not for personal gain, but for the collective good.

That’s the hacker ethic worth celebrating.

more insights

When the Hacker Was an Algorithm

February 2, 2026

When the Hacker Was an Algorithm: Inside the First AI-Orchestrated Cyber Espionage Campaign In September 2025, Anthropic security engineers spotted something wrong in their system

Read more >

The Phantom Hacker

January 30, 2026

The Phantom Hacker: Dylan Wheeler Got Away With $100 Million in Cybercrime Four teenage hackers stole over $100 million from Microsoft, Epic Games, and the

Read more >

ClawdBot/Moltbot

January 27, 2026

ClawdBot/Moltbot: When Viral AI Tools Become Security Nightmares ClawdBot exploded onto the tech scene in January 2026. Within three days, the open-source AI assistant rocketed

Read more >