Data leak
NPR / DOJ / TechCrunch / Washington Post
Primary Source βIncident Details
Attackers found Uber AWS credentials in GitHub and downloaded data affecting 57M users and drivers (names, emails, phone numbers; 600K US driver license numbers). Uber CSO Joe Sullivan paid hackers $100K in Bitcoin as bug bounty under NDA to conceal breach. Breach not disclosed to FTC (which had ongoing data security settlement with Uber at time). Cover-up discovered by new CEO. Sullivan convicted Oct 2022 of obstruction of justice. Uber paid $148M to 50 states in 2018 settlement.
Technical Details
- Initial Attack Vector
- CWE-312: Cleartext Storage of Sensitive Information (AWS credentials exposed in GitHub repository, used to access S3 bucket with customer data)
- Vendor / Product
- Uber / AWS S3
Timeline
- 2016-10-01 Breach occurred
- 2017-11-21 Publicly disclosed
- 2017-11-21 Customers notified