Grey Hat Hacker: What You Need to Know

Grey hat hackers are named so because their activities occupy an ethical grey area between the white hat-wearing good guys who hack information systems with the system owner’s permission to uncover and fix vulnerabilities and the hackers in the black hats who gain unauthorized access with clearly malicious intent. Grey hat hackers gain access to a system without the owner’s permission, look for vulnerabilities and then report their findings to the system’s owners. Their activities can be beneficial to the system’s owner, as they do not steal or damage data stored in the system, and they typically offer to fix the problem. 

So what’s in it for these hackers? In grey hat hacking, the hacker’s intention is often to show off their skills, gain publicity, or earn the appreciation of the system’s owner. As you might think, system owners are generally unappreciative of these unauthorized penetrations of their data infrastructure. And while they can provide helpful information regarding system vulnerabilities, their efforts are in fact illegal and viewed by the cyber security community as unethical. The grey hat hacker bends or even breaks the law for purposes that he sees as noble, but his friends in law enforcement see things differently and are likely to give him a ride “downtown” to express their lack of appreciation.   

An often-cited and high-profile example of grey-hat hacking is the 2013 hacking of Facebook founder Mark Zuckerberg’s FB page by an unemployed computer researcher named Khalil Shreateh. What was his motivation? To persuade Facebook to correct a bug he found that allowed him to post information on any user’s page without their consent. After Shreateh posted a message on Zuckerberg’s page, Facebook could no longer ignore him. The company told him the issue was not a bug, then corrected the vulnerability. As Shreateh violated Facebook’s policies, the company did not compensate him.  

The differences between these cyber security players lies basically in their intent. Let’s take a closer look at each of them.

White Hat Hackers often work as employees or contractors for companies that own information systems, complying with ethical standards and working under buttoned-down employment contracts. Using tactics that have come to be known as ethical hacking, they scour computer systems or networks to find security flaws or vulnerabilities, then make recommendations for improvements that can close these gaps, which provide potential access points for cybercriminals. They use the same methods as the black hat hackers, but with good intentions and the permission of the system’s owner. Their toolbox contains a variety of digital and physical tools like programming to lure cybercriminals and study their actions, malware, reconnaissance and research. Penetration testing is a subset of ethical hacking, with a focus on finding vulnerabilities and assessing risk within computer systems. Training courses, events and certifications dedicated to ethical hacking are all widely known in the industry, and are useful for anyone preparing to pursue a cyber security career. 

Black hat hackers are the cybercriminals who break into systems with malicious intent. They have been known to release malware that destroys files, holds computers and networks hostage (ransomware attacks), and steals passwords, account numbers and other personal information. What’s their motivation? It’s typically financial gain, but it can also be emotionally-charged, to exact revenge on an individual or institution they feel has wronged them or with whom they disagree with ideologically. The most successful black hats tend to be skilled hackers working for expansive and sophisticated criminal organizations or governments. These cybercriminals will often develop specialties such as phishing scams that use social engineering tactics to fool unsuspecting computer users into granting them access to protected networks. 

The grey hat hacker occupies the space in the middle. Like the black hats, they don’t have system owners’ permission to penetrate networks. But unlike the black hats, their intent is typically not malicious. When they find a vulnerability, they will typically not exploit it themselves, but will report it to the owner. Some companies have bug bounty programs that pay rewards to grey hats who report such issues. These payouts can range from a few hundred bucks to more than $100,000. Gray hats can, however, drift over to the dark side if their attempts to work with a network owner are ignored. In these cases, grey hats have been known to exploit the weaknesses themselves or post the vulnerabilities they’ve found, making them fair game for black hats to do their worst.

The question of whether grey hat hacking is a safe practice can be examined in several ways, from a simple data security point of view, but also from a legal and ethical perspective. Grey hat hackers are generally not considered a major threat because they don’t access systems with malicious intent. It would, however, be prudent to consider any unauthorized access of a network and the information in it to be unsafe.

What’s the legality of the grey hat hacker’s actions? They access systems without the network owners’ consent. Doing so makes their activities illegal. Think of it this way – if a thief gains access to your home by breaking a window and opening a locked door, even if nothing is stolen the intruder can be arrested and charged with breaking and entering. 

Ethically, as we mentioned earlier, the grey hat operates in that grey area between the sanctioned and above-board activities of the white hat and the distinctly unethical activities of the malicious black hat.

The focus of our discussion has mainly been the relationship between the various types of hackers and the organizations that own and maintain data systems, and the potential threats posed by malicious hackers. But since the consumer is often the target of various forms of cybercrime, everyone should know how to keep sensitive information safe. Here are a few tips to keep yourself safe from hackers: 

DeVry University can help you prepare to pursue a career in cybersecurity. With our online Undergraduate Certificate in Cyber Security, Associate degree in Cyber Security and Networking or Bachelor degree in Cyber Security and Networking, you can take your first steps toward becoming a cyber defender, protecting information, data infrastructure and brands from malicious attackers. This 100% online undergraduate certificate program can be completed in as little as 1 year and 2 months on an accelerated schedule* or 1 year and 6 months on a normal schedule.** 

Coursework in this program may also prepare you to pursue industry-relevant certifications in the cyber security space, like CompTIA’s Security+ and the EC Council’s Certified Ethical Hacker.