Published in News

Uber paid off hacker using bug bounty programme

by on07 December 2017


20 year old geezer scored personal data of 57 million users

A 20 year old Florida man who was responsible for the large data breach at Uber last year was paid by Uber to destroy the data through a so-called “bug bounty” programme.

Uber announced on November 21 that the personal data of 57 million users, including 600,000 drivers in the United States, had been stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information.

It did not reveal any information about the hacker or how it paid him the money.

However, hacks at Reuters have found out that Uber made the payment last year through its bug bounty service.

They could not find the identity of the hacker or the person who helped him and Uber is still not saying anything about the hack.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It is widely believed that CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year. He stepped down as Uber CEO in June and has taken a vow of silence too.

The high payment through a bug bounty programme should have raised a few alarm bells. Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty programme, where payments are typically in the $5,000 to $10,000 range.

HackerOne hosts Uber’s bug bounty programme but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mom in a small home trying to help pay the bills",  adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

Last modified on 07 December 2017
Rate this item
(0 votes)

Read more about: