Relatable Uber Hacker Was Just Trying To Pay His Bills


Uber, the ride-hailing smartphone app, paid a Florida hacker $100,000 to destroy data in the company's 2016 hack that resulted in the breach of 57 million users, Reuters reported.

You can potentially understand the panic and attempt to hush it up - especially in light of how much controversy Uber has courted in the past few years - but with the information of so many users at stake who trust the company, this is a bad failure and was a huge mistake which may be extremely hard to recover from.

Uber spokesman Matt Kallman declined to comment to Reuters.

Uber ended up firing its chief security officer Joe Sullivan and attorney Craig Clark over their roles in the data breach, so it looks like the company isn't exactly chuffed with how the situation was handled, even though it has yet to comment on the revelations Reuters' sources have been serving up.

While the exact identity of the hacker hasn't been revealed, it's being suspected that then-CEO Travis Kalanick was aware of the breach and payment. Rewards for identifying bugs in code are more normally in the range of $5,000 - $10,000.

Speaking to the publication, one source described the hacker as "living with his mom in a small home trying to help pay the bills". Uber is also believed to have conducted a forensic analysis of the hacker's computer to make sure that all data on the company had been wiped.

The breach, dating back to 2016, was apparently caused after hackers compromised a private GitHub repository and harvested engineering credentials later used to access an Amazon Web Services (AWS) account and the information stored within. Uber's bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.

GitHub said the attack did not involve a failure of its security systems.

At the time of the incident, Uber approached the two hackers and "obtained assurances that the downloaded data had been destroyed", and upped the security of the third party cloud-based storage account they had accessed, he added.

It has also emerged that the $100,000 paid to the hacker in return for deleting the data was channelled through Uber's bug bounty service, hosted by company HackerOne, which according to a former executive represents a record payment by the service.

Ready to get started?