Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Discloses Database Breach, Targets GitHub With Subpoena

Posted by Soulskill on from the another-day-another-breach dept.

New submitter SwampApe tips news that Uber has revealed a database breach from 2014. The company says the database contained names and diver's license numbers of their drivers, about 50,000 of which were accessed by an unauthorized third party. As part of their investigation into who was behind the breach, Uber has filed a lawsuit which includes a subpoena request for GitHub. "Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists. It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public."

4 of 47 comments (clear)

  1. Re:Just a distraction from the real fail... by NimbleSquirrel · · Score: 4, Informative

    Because they think it was a crime of opportunity, which sounds like a reasonable supposition -- the hacker stumbled across the key in Github, then either gave (or sold) the key to someone else to do the hack, or did the hack himself. Clearly he wouldn't have downloaded the data using his own IP address, but it's entirely possible that when he found the key on Github, he was using a traceable IP.

    There could be hundreds of legitimate accesses of that file. If the hacker was indeed using a hidden IP address to access the database, but his real IP to download the gist, how are Uber going to determine that from all the other legitimate accesses? If the hacker gave away or sold that information, there is going to be no way for Uber to determine a link at all. This just seems like a fishing expedition to hide the real fail.

    By admitting that one of their developers leaked the key himself on Github, it seems a little late for them to claim that they have no responsibility for the breach.

    Ahh... but the thing is that Uber haven't admitted to anything like that. By serving a subpoena against GitHub, it is clear that is what has happened, but nowhere have I seen Uber actually admit this. If Uber were actually to admit this, it would likely open them up to lawsuits from their affected drivers.

  2. Re:Just a distraction from the real fail... by fred911 · · Score: 3, Informative

    "Or there could be 2 accesses of that file, depending on how long they left it up there"

    They're asking for 6 months of data. Here's the subpoena.

      http://regmedia.co.uk/2015/02/...

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  3. Re:Just a distraction from the real fail... by 140Mandak262Jamuna · · Score: 4, Informative

    There's tons of very skilled and usually-careful criminals in prison.

    The above is complete bullshit.

    The prisons house people who were sloppy, stupid, and lazy.

    The smart criminals are in political office and on boards of corporations.

    No. Medium level smart criminals become politicians. The real top level smart criminals become C?O of publicly traded corporations, usually banks, and mutual funds. The super smart criminals buy the politicians to provide safety net for the smart C?O criminals and they remain largely opaque to scrutiny.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. Re:Just a distraction from the real fail... by Anonymous Coward · · Score: 2, Informative

    The same kind that constantly commits vim swap, openoffice lock files and other junk files into svn. From my experience, is not that rare, and they aren't retarded, just careless or insufficiently trained