Future South Technologies president Jonathan Hall reported that in the past days, Yahoo servers were under attacks from Romanian hackers looking to create a botnet army from infected machines. Yahoo looked into the matter and confirmed the incursions, but stated that no client data was compromised. The Winzip and Lycos servers also fell victim to these attacks.
Originally believed to be a Shellshock vulnerability exploit even by the Yahoo staff, the attack turned out to have actually originated from taking advantage of a different bug within a debugging script which the website was running at the time. After fully studying the event, a Yahoo spokesman announced that the incident was isolated and that the compromised servers weren't used for storing client data.
The much more interesting story is related to the discovery of the attacks. A security researcher named Jonathan Hall discovered the threat and immediately reported it to Yahoo and to the FBI, telling them that Yahoo Sports and Yahoo Games servers have been compromised. The Sunnyvale-based company's staff thanked Jonathan for the information, but told him that he doesn't qualify to receive any form of compensation from the bug bounty program. According to Mr. Hall, the FBI seemed interested, but was very slow to react.
Since the reaction from the people in charge didn't seem to be quick enough, the president of Future South Technologies decided to take matters into his own hands and modify the code on the hackers' servers in order to control and stop the attacks. However, as no good deed goes unpunished, running a code on other peoples servers is an action that could be easily deemed illegal in most courts.
Yahoo announced that they've identified the exploited vulnerability and fixed the issue.