Hackers extorting money from Uber and LinkedIn plead guilty

Two hackers extorting money from Uber and LinkedIn pleaded guilty: 26-year-old American Brandon Glover and 23-year-old Canadian Vasile Mereacre pleaded guilty to stealing data from 57 million Uber passengers and drivers, as well as data from 90,000 users.

Uber was hiding the incident for a year, which lead complains to the data storage and company policies as a result of this case.

“In 2016, these two hackers used “their own tool to verify GitHub accounts ” and tried to apply credentials from other sites that had previously leaked to public access to GitHub accounts. At the same time, hackers targeted corporate employees to crack the most valuable accounts and find sensitive information”, – reported in official court documents.

After penetrating other people’s accounts, GitHub, Glover and Mereacre searched for credentials from Amazon Web Services (AWS), which they then used to connect to the backends of companies and obtain confidential information (user information or backups). This way was stolen data from 57,000,000 Uber passengers and drivers, as well as data from 90,000 LinkedIn users.

Read also: Vulnerability in PHP7 threatens nginx server security

Having stolen the data, hackers began to blackmail the affected companies. To do this, they created a box on Protonmail and got in touch with companies. Therefore, in early November 2016, they contacted the Uber security chief and said they “discovered a serious vulnerability” by providing a sample of the stolen data.

Glover and Mereacre demanded to pay them $ 100,000 in cryptocurrency, which Uber ultimately agreed to. The payment was made through the HackerOne vulnerability reward program, and Uber demanded that hackers sign a confidentiality agreement that prohibits the use of data and the public disclosure of hacking information.

Subsequently, Uber was hiding what happened for almost a year. Hacking and data leakage became known only at the end of 2017, when the new management of the company, which decided to publish the information, became aware of the incident.

As a result, Uber underwent a rigorous security audit, was fined in the UK (£ 385,000) and the Netherlands (€ 600,000), and agreed to pay $ 148 million in the United States as part of a class action lawsuit.

While hackers went relatively smoothly with Uber, things went wrong with LinkedIn. Court documents indicate that the hackers turned to LinkedIn in December 2016, but the company did not put up with an attempt to extort and decided publicly report a security violation.

“By bargaining with LinkedIn, hackers tried to raise the ransom to a seven-figure number”, – reported in court documents.

Law enforcement agencies began investigating these incidents after Uber officially announced what happened in 2017, and soon both extortionists were arrested. This week, the two pleaded guilty, and now they face up to five years in prison and a fine of $ 250,000 each.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button