Uber Paid Hackers $100K to Conceal 2016 Data Breach

The ride-sharing company has confirmed an October 2016 data breach that compromised 57 million accounts.

Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.
Whats especially alarming about the data breach is not its size - previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger - but how Uber handled it.
What makes this one stand out is absolutely the time duration, says McAfee Labs vice president Vincent Weafer. Its almost a year ago that the actual event occurred; were just finding out about it now.
Hackers were able to access and download names and drivers license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Ubers CEO Dara Khosrowshahi said in a
blog post
.
Ubers forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.
Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.
Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times
reports
. While Uber did
launch
a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. Its unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.
The companys chief security officer Joe Sullivan, who led the response to last years attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg
reports
.
How it happened
Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.
This appears to be a prime example of good intentions gone bad, says Imperva CTO Terry Ray. Using an online collaboration and coding platform isnt necessarily wrong, and it isnt clear if getting your accounts hacked on these platforms is even uncommon.
While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says its likely attackers compromised one of the developers, who typically work in privileged environments. Developers arent necessarily the most secure individuals, he points out, and theyre quick to be early adopters and try new tools.
The hackers path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developers machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.
The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.
Its all too common that developers are allowed to copy live production data for use in development, testing, and QA, he says. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.
These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. It takes special effort to fine-tune which developers have access to which repositories, adds Podjarny.
One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, its on companies to ensure employees use 2FA for critical applications and dont have access to sensitive data they dont need.
You should never have the keys to the kingdom shared, says Podjarny of storing credentials in GitHub. If theyre compromised in one place, theyre going to be exploited in another area.
Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which its necessary. Even if you pay money to hackers, youre relying on them being honest, says Weafer. They could have copies or be selling it on the Dark Web.
Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario garden variety extortion. While it was not best practice to pay in this scenario, there are circumstances in which its economically rational and less risky. The big problem here is with responsible disclosure; organizations have a clear responsibility to disclose breaches and alert those affected.
Paying off hackers without following disclosure laws is ill advised at best, Ellis says. Extortion is not a dying practice - as long as there are economically incented adversaries and companies willing to pay well continue to see it.
Whats Next
Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took immediate steps to secure the data and prevent further unauthorized access by attackers.
We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed, he writes. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.
None of this should have happened, and I will not make excuses for it, says Khosrowshahi in his post. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
Related Content:
Samsung Pay Leaks Mobile Device Information
Were Still Not Ready for GDPR? What is Wrong With Us?
Terdot Banking Trojan Spies on Email, Social Media
North Koreas Lazarus Group Evolves Tactics, Goes Mobile
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Uber Paid Hackers $100K to Conceal 2016 Data Breach