57 million users data leaked by Uber.
That’s a lot of people.
Although what makes this data breach stand out from all the other countless incidents reported every day, is the suggestion that Uber paid hackers $100,000 to keep the breach quiet.
How did the ‘hack’ happen?
In 2016, two hackers accessed a private GitHub coding site used by Uber software engineers. Within GitHub, the software engineers had stored login credentials for data stored on Ubers Amazon Web Services account.
So, armed with this information, the hackers were able to log into the AWS instance (no two factor enabled, clearly), and discovered an archive of rider and driver data.
The story goes that the hackers then contacted Uber to make them aware they had the data, and asked for money as an extortion. It is suspected that Uber agreed to pay the hackers, on the condition that the data be deleted, and a Non Disclosure agreement be signed. It is unclear if this has been done, as that would clearly identify the hackers?
Uber ignored the federal law in the US and other countries requiring that any data berech be disclosed. For that, they are already facing numerous lawsuits.
How could the breach have potentially been prevented?
Firstly, the GitHub used by the software engineers of Uber should have been secured. At least, the usernames and passwords should not have been stored there, and this was no doubt policy of Uber?
Even if the credentials had been stolen, if the AWS instance had been secured with two factor authentication, the hackers wouldn’t have been able to log in to expose the data…
It’s clear to say that Uber definitely didn’t have that option enabled. The best advice to give anyone about online security is “USE TWO FACTOR AUTHENTICATION ON EVERYTHING YOU CAN!”
An easy way to find out what websites used 2FA is to visit TwoFactorAuth.org.
If you are in the UK, you may find the National Cyber Security Centre’s advice helpful.