Two hackers extorting money from Uber and LinkedIn pleaded guilty: 26-year-old American Brandon Glover and 23-year-old Canadian Vasile Mereacre pleaded guilty to stealing data from 57 million Uber passengers and drivers, as well as data from 90,000 Lynda.com users.
Uber was hiding the incident for a year, which lead complains to the data storage and company policies as a result of this case.
“In 2016, these two hackers used “their own tool to verify GitHub accounts ” and tried to apply credentials from other sites that had previously leaked to public access to GitHub accounts. At the same time, hackers targeted corporate employees to crack the most valuable accounts and find sensitive information”, – reported in official court documents.
After penetrating other people’s accounts, GitHub, Glover and Mereacre searched for credentials from Amazon Web Services (AWS), which they then used to connect to the backends of companies and obtain confidential information (user information or backups). This way was stolen data from 57,000,000 Uber passengers and drivers, as well as data from 90,000 LinkedIn Lynda.com users.
Having stolen the data, hackers began to blackmail the affected companies. To do this, they created a box on Protonmail and got in touch with companies. Therefore, in early November 2016, they contacted the Uber security chief and said they “discovered a serious vulnerability” by providing a sample of the stolen data.
Glover and Mereacre demanded to pay them $ 100,000 in cryptocurrency, which Uber ultimately agreed to. The payment was made through the HackerOne vulnerability reward program, and Uber demanded that hackers sign a confidentiality agreement that prohibits the use of data and the public disclosure of hacking information.
Subsequently, Uber was hiding what happened for almost a year. Hacking and data leakage became known only at the end of 2017, when the new management of the company, which decided to publish the information, became aware of the incident.
As a result, Uber underwent a rigorous security audit, was fined in the UK (£ 385,000) and the Netherlands (€ 600,000), and agreed to pay $ 148 million in the United States as part of a class action lawsuit.
While hackers went relatively smoothly with Uber, things went wrong with LinkedIn. Court documents indicate that the hackers turned to LinkedIn in December 2016, but the company did not put up with an attempt to extort and decided publicly report a security violation.
“By bargaining with LinkedIn, hackers tried to raise the ransom to a seven-figure number”, – reported in court documents.