Modern field guide to security and privacy

Hackers for good: How Anand Prakash rescued Facebook

In the first installment in an occasional series about ethical hackers, Passcode profiles one of India's most successful freelance cybersecurity researchers known for finding – and helping fix – serious flaws in Facebook.

Kshitij Nagar/Special to The Christian Science Monitor
Bug bounty hunter Anand Prakash with his dog Whiskey at his home in Bangalore, India.

Anand Prakash is one of the tens of thousands of young Indians who have flocked here in the past several years chasing their fortunes in this city's teeming tech industry.

The deluge has transformed a once laid-back "pensioners' paradise" into a chaotic mélange of glass and steel buildings, office parks, and grinding traffic gridlock. Bangalore has become America's information technology back office, its help desk, and its customer hot line.

But unlike many of his peers working on engineering and development teams, Mr. Prakash is more comfortable breaking software. He's a hacker. In fact, he's one of the most well known in India, famous for hacking Facebook and Google.

No, he's not a criminal, a digital prankster, or online miscreant. He's a hacker for good – a so-called "white hat hacker." In essence, Prakash serves as one-man technical help desk for some of the most powerful software companies in the world: He roots out software vulnerabilities, reports the bugs to tech giants, and is rewarded – handsomely.

He recently earned $15,000 for reporting a single flaw to Facebook that could have exposed account details on the company's more than 1 billion users. In a blog post about the vulnerability, Prakash described how he manipulated a security vulnerability to show that anyone could reset another users' account password. In all, he’s earned more than $200,000 for reporting security issues to Facebook, Twitter, Google, eBay, and Dropbox, just to name a few. 

Kshitij Nagar/Special to The Christian Science Monitor
Ethical hacker Anand Prakash recently earned $15,000 for reporting a single flaw to Facebook.

At a time when the term "hacker" has become more associated with bad guys and foreign spies breaking into tech companies such as Yahoo or political organizations like the Democratic National Committee, Prakash provides an antidote to that prevailing narrative. He doesn't wear a black hoodie or dwell in the darker corners of the internet.

When we met at a cafe on Bangalore’s Sarjapur Road, Prakash wore neat slacks and a button-down shirt. He looked like he would be more at home working inside an H&R Block branch office than appearing in an episode of the hacker TV drama "Mr. Robot."

He had none of the studied insouciance or the condescension that many others of his ilk display to security neophytes. He's soft spoken and polite, perhaps because of his rural upbringing in the village of Bhadra, in the northwestern Indian state of Rajasthan, about 1,500 miles away from Bangalore’s often crass urbanity.

He's the first engineer in a family of farmers. Prakash's father dropped out of school after 10th grade and runs a small pesticide business in the village. His mother is illiterate. "They don’t even know what I do. But they are proud of me," he says.

Prakash's journey to Bangalore began when he was 16. On a dare, he broke into a friend’s account on Orkut, the social media site Google shut down in 2014. With a little research and a basic knowledge of programming, Prakash constructed a fake log-in page where his friend revealed his account credentials. That trick launched his hacking career. 

He discovered ethical hacking while completing an engineering degree in computer science from the Vellore Institute of Technology in the south Indian coastal city of Chennai. An internship with the Cyber Police Investigation Branch of the Gurgoan Police near Delhi provided insight into how criminal hackers – or "black hats" in tech parlance – operated.

While he was still in college in 2011, Facebook launched its bug bounty program, a way of rewarding security researchers who discovered and reported software flaws to the social media giant. Since then, bug bounties have become the norm. Earlier this year, the Pentagon invited hackers to attack its sites in a bug bounty program. Apple has one now, and so does GM.

And many other young, talented Indian hackers have joined bug bounty efforts, too, looking to put their computer talents to work outside the offices filled with banal software development or tech support teams in Bangalore.

Since launching its bounty program, Facebook has paid out close to $720,000 to researchers from India - more than any other country. In fact, at 23, Prakash is already older than many in a growing cadre of hundreds of Indian bug bounty hunters. 

Prakash says he's not just hunting for software bugs for the money. He says he could earn a lot more selling vulnerabilities to people to government agencies who buy these exploits as ways of spying on adversaries or to shadowy criminal groups that use them for illegal purposes.

"I’m mainly concerned about data privacy. I do not want to harm users," he says. "There is a kind of happiness when you do something for good."

Editor's note: This story was updated after publication to correct the history of the social media site Orkut and the location of Anand Prakash's hometown.

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC
You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.