Two hackers, Brandon Charles Glover and Vasile Mereacre, have pleaded guilty in a U.S. District Court for illegally stealing large troves of personal data from AWS databases owned by Uber and LinkedIn and for subsequently trying to extort the two companies in exchange for returning the stolen data.
In November 2017, Uber’s new CEO Dara Khosrowshahi, who replaced Travis Kalanick as the new head of the ride-hailing service, announced that in October 2016, two malicious actors accessed login credentials for one of Uber’s Amazon Web Services servers from coding site GitHub and stole names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.
The data theft also compromised the personal information of as many as 2.7 million Brits, including 82,000 drivers. However, the National Cyber Security Centre said that even though the breach involved user names, email addresses and mobile phone numbers of 2.7 million Brits, the stolen information did not pose a direct threat to people or allow direct financial crime.
In November last year, the Information Commissioner’s Office (ICO) issued a fine of £385,000 to Uber for failing to safeguard the personal information of around 2.7 million UK citizens. It found that Uber paid the attackers responsible $100,000 to destroy the data they had downloaded and did not inform customers about the data theft.
While Autoriteit Persoonsgegevens, the Dutch data protection authority, issued a fine of €600,000 to Uber for failing to protect personal information of 174,000 Dutch citizens that were compromised as a result of the 2016 data breach, Uber was asked to pay a fine of $148 million (£116.5 million) in the United States for failing to notify affected drivers and customers about the breach.
Hackers used GitHub account credentials to access AWS databases of Uber and LinkedIn
Brandon Charles Glover and Vasile Mereacre, the two hackers who stole personal data of Uber’s drivers and customers and later demanded ransom from the company, initially used a cache of stolen user data and a custom-built GitHub account checker tool to determine if the stolen data was also used as GitHub account credentials.
Once the hackers identified valid GitHub account credentials of corporate employees, they used the credentials to gain access to employees’ accounts and then obtained their Amazon Web Services credentials, using which they accessed AWS S3 buckets to search for and download stored data.
Once they had large troves of corporate and customer data in their possession, the two hackers contacted Uber and LinkedIn and demanded large sums of money by claiming that they had discovered a major vulnerability in their AWS servers. Uber acquiesced to their demands, paid them $100,000 in bitcoin by classifying it as a bug bounty payment and made them sign confidentiality agreements to prevent public disclosure of the breach.
The two hackers also stole 90,000 Lynda.com user accounts using the same method but were unable to extract any money from LinkedIn, the company that owned the domain. Instead of paying ransom, LinkedIn chose to announce the security breach to the public.
The two hackers were identified by law enforcement authorities and were subsequently arrested and produced before the court even though they used two different Protonmail accounts to communicate with senior executives at Uber and LinkedIn.