Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:20 PM
Connect Directly

Uber Paid Hackers $100K to Conceal 2016 Data Breach

The ride-sharing company has confirmed an October 2016 data breach that compromised 57 million accounts.

Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.

What's especially alarming about the data breach is not its size - previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger - but how Uber handled it.

"What makes this one stand out is absolutely the time duration," says McAfee Labs vice president Vincent Weafer. "It's almost a year ago that the actual event occurred; we're just finding out about it now."

Hackers were able to access and download names and driver's license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Uber's CEO Dara Khosrowshahi said in a blog post.

Uber's forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.

Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.

Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times reports. While Uber did launch a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. It's unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.

The company's chief security officer Joe Sullivan, who led the response to last year's attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg reports.

How it happened

Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.

"This appears to be a prime example of good intentions gone bad," says Imperva CTO Terry Ray. "Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon."

While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says it's likely attackers compromised one of the developers, who typically work in privileged environments. Developers "aren't necessarily the most secure individuals," he points out, and they're quick to be early adopters and try new tools.

The hackers' path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developer's machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.

The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.

"It's all too common that developers are allowed to copy live production data for use in development, testing, and QA," he says. "This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors."

These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. "It takes special effort to fine-tune which developers have access to which repositories," adds Podjarny.

One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, it's on companies to ensure employees use 2FA for critical applications and don't have access to sensitive data they don't need.

"You should never have the keys to the kingdom shared," says Podjarny of storing credentials in GitHub. "If they're compromised in one place, they're going to be exploited in another area."

Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which it's necessary. "Even if you pay money to hackers, you're relying on them being honest," says Weafer. "They could have copies or be selling it on the Dark Web."

Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario "garden variety extortion." While it was not best practice to pay in this scenario, there are circumstances in which it's economically rational and less risky. The big problem here is with responsible disclosure; organizations have a "clear responsibility" to disclose breaches and alert those affected.

"Paying off hackers without following disclosure laws is ill advised at best," Ellis says. "Extortion is not a dying practice - as long as there are economically incented adversaries and companies willing to pay we'll continue to see it."

What's Next

Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took "immediate steps" to secure the data and prevent further unauthorized access by attackers.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," he writes. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.

"None of this should have happened, and I will not make excuses for it," says Khosrowshahi in his post. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 3:58:53 PM
GitHub + password reuse
Indeed, there have been numerous breaches in the news lately stemming from a GitHub hack. Password reuse is a common problem in these cases.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.