The Shellshock bug is bad news, and Yahoo may’ve just found out first hand. 

At least two servers for Yahoo Games were allegedly breached in a hack discovered by security researcher Jonathan Hall.  

Hall says he found evidence that Romanian hackers gained access to at least two of Yahoo’s servers by exploiting the Shellshock bug, a vulnerability in bash, a low-level program used to execute other programs. By exploiting the bug, hackers can gain remote access of servers and systems. Hall said Yahoo’s servers were vulnerable because they were using an older version of bash.

Hall, a Unix expert with Future South Technologies, offers a lengthy explanation on the tech consulting firm’s website, where he describes how he tracked the breach to Yahoo’s game servers. Hall also shares an email he says he received from Yahoo confirming the breach. Since millions of people play Yahoo games every day, they make an ideal target for hackers. 

See also: Everything You Need To Know About The Shellshock Bug

If hackers gained control of a Yahoo server using Shellshock, they could potentially steal user information, deliver malware to vulnerable computers and take control of the system. So you’d think Yahoo would be grateful for the information. Hall, however, claims Yahoo did not reward him for the discovery, instead telling Hall that his findings didn’t qualify for its bug bounty program.

“I literally gave them two servers that were hacked, of which there were most likely more—without a doubt—considering one gets a public DNS response of a private IP address… And that doesn’t qualify? What a joke,” Hall posted on Reddit.

Yahoo has a poor track record when it comes to rewarding security researchers who uncover serious flaws, Mashable notes. Where a similar bug might net five figures at Facebook, Yahoo is more in the habit of awarding $25 vouchers which can be used to purchase t-shirts, pens and other items from Yahoo’s company store. 

Photo via Shutterstock