August 1, 2019

Recon Data + New Scope

Note: Verizon Media is now known as Yahoo.

Paranoids logo

Hackers, Hackers, and you other hackers,

This recon+hacking period of H1-702 has been incredible. We have seen so much engagement and activity on our platforms and love for our team and our customers that I am at a loss for words. Thank you so much for everything. When we put the plan together for this event we expected one level of activity and you have already eclipsed that. Keep it coming!

We are Paranoid. We fight for our users, and so do you.

Recon Data

@nahamsec has been running recon summer camp sessions against *.yahoo.com and publishing his findings and stream recordings, but there’s more data out there that perhaps you missed in the slack chat. We realize *.yahoo.com is enormous and finding the starting point can be hard. Last week we asked you all how you do recon and if you would share your data, these folks stepped up and will be receiving a small bonus as a thank you from us, but you are really the ones that benefit from this data sharing.

You should all send a special thank you to @nahamsec, @tomnomnom, and @erbbysam for sharing their recon data. Head over to the Policy Page for the files (scroll down, no, farther down).

@TomNomNom's data:

  • Domains (533245): {tomnomnom_domains.txt}
  • Domains that resolve (55848): {tomnomnom_resolved.txt}
  • Domains with webservers (8067): {tomnomnom_webservers.txt}
  • HTML Response headers for webservers: {tomnomnom_roots.tgz} (tar -xvf roots.tgz to extract)

@erbbysam’s data:

  • subdomains (11941): {erbbysam_subdomains.txt}

@nahamsec’s streams:

New Scope

Huffington Post is now in scope for H1-702! This brand previously existed only in our Private program, but we’re bringing it to you now. Hack away!

  • *.huffpost.com
  • *.huffingtonpost.com
  • Any accounts you need will be self-service signup.

Identity Challenge

In case you missed the message in slack on Tuesday….

The Identity Challenge ($60,000 bonus) has been achieved! Winners will not be announced yet.

Fret not! All that hard work you've put in so far to try to get those flags is not wasted. We will be offering a 2nd Place award at $30,000 to any report that can achieve the challenge again, in an entirely different way.

Happy Hacking,



The Paranoids