Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/22/2017
01:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Uber Paid Hackers $100K to Conceal 2016 Data Breach

The ride-sharing company has confirmed an October 2016 data breach that compromised 57 million accounts.

Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.

What's especially alarming about the data breach is not its size - previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger - but how Uber handled it.

"What makes this one stand out is absolutely the time duration," says McAfee Labs vice president Vincent Weafer. "It's almost a year ago that the actual event occurred; we're just finding out about it now."

Hackers were able to access and download names and driver's license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Uber's CEO Dara Khosrowshahi said in a blog post.

Uber's forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.

Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.

Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times reports. While Uber did launch a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. It's unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.

The company's chief security officer Joe Sullivan, who led the response to last year's attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg reports.

How it happened

Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.

"This appears to be a prime example of good intentions gone bad," says Imperva CTO Terry Ray. "Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon."

While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says it's likely attackers compromised one of the developers, who typically work in privileged environments. Developers "aren't necessarily the most secure individuals," he points out, and they're quick to be early adopters and try new tools.

The hackers' path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developer's machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.

The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.

"It's all too common that developers are allowed to copy live production data for use in development, testing, and QA," he says. "This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors."

These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. "It takes special effort to fine-tune which developers have access to which repositories," adds Podjarny.

One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, it's on companies to ensure employees use 2FA for critical applications and don't have access to sensitive data they don't need.

"You should never have the keys to the kingdom shared," says Podjarny of storing credentials in GitHub. "If they're compromised in one place, they're going to be exploited in another area."

Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which it's necessary. "Even if you pay money to hackers, you're relying on them being honest," says Weafer. "They could have copies or be selling it on the Dark Web."

Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario "garden variety extortion." While it was not best practice to pay in this scenario, there are circumstances in which it's economically rational and less risky. The big problem here is with responsible disclosure; organizations have a "clear responsibility" to disclose breaches and alert those affected.

"Paying off hackers without following disclosure laws is ill advised at best," Ellis says. "Extortion is not a dying practice - as long as there are economically incented adversaries and companies willing to pay we'll continue to see it."

What's Next

Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took "immediate steps" to secure the data and prevent further unauthorized access by attackers.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," he writes. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.

"None of this should have happened, and I will not make excuses for it," says Khosrowshahi in his post. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 3:58:53 PM
GitHub + password reuse
Indeed, there have been numerous breaches in the news lately stemming from a GitHub hack. Password reuse is a common problem in these cases.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...