Uber confirmed that hackers breached some part of its network in October 2016 and made off with personal data for 50 million users and 7 million drivers.
A few months back, An Italian expert discovered a critical Improper Authentication vulnerability affecting the UBER platform that allowed password reset for any account.
In official statements —for riders and drivers— issued today, Uber said hackers made off with names, email addresses, and mobile phone numbers for both customer and rider accounts. In addition, the hackers also downloaded driver’s license numbers of around 600,000 US drivers.
Uber said that based on current evidence the hackers did not download location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.
The incident took place in October 2016, but the company learned about the hack a month later, in November 2016.
Two hackers are allegedly behind the breach
In a separate message posted online by Uber’s recently invested CEO Dara Khosrowshahi, the company suspects two hackers were involved in the hack.
Bloomberg, which first broke the story, claims the company paid the two hackers $100,000 to delete the data and keep quiet about the incident. Bloomberg also reported that Uber asked its security chief, John Sullivan, to resign and fired one of the lawyers that acted as Sullivan’s assistant.
Khosrowshahi also said it informed law enforcement authorities and the FTC of the hack. The company reached out to regulators only last week, almost a year after the hack, and when it became evident the news was about to break to the public.
After the news broke, New York Attorney General started an investigation into the way Uber handled the hack and for not alerting users and authorities as soon as it learned of the incident.
Hackers got data from “third-party cloud service”
According to Khosrowshahi, the hackers “inappropriately accessed user data stored on a third-party cloud-based service” that Uber was utilizing to store user data. Khosrowshahi made it clear that hackers “did not breach [Uber’s] corporate systems or infrastructure.”
From the outside, the breach seems to have taken place because of an unsecured or misconfigured cloud server, most likely a staging system for running tests or other in-dev systems. Such incidents have been rampant in the past two years, with the latest cloud server bungle affecting the US military.
“We continue to see security control misconfigurations that result in costly breaches,” Stephan Chenette, CEO and Co-Founder of AttackIQ told. “What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”
The company plans to release a statement to customers saying it has seen “no evidence of fraud or misuse tied to the incident.” Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity theft protection.