Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Discloses Database Breach, Targets GitHub With Subpoena

Posted by Soulskill on from the another-day-another-breach dept.

New submitter SwampApe tips news that Uber has revealed a database breach from 2014. The company says the database contained names and diver's license numbers of their drivers, about 50,000 of which were accessed by an unauthorized third party. As part of their investigation into who was behind the breach, Uber has filed a lawsuit which includes a subpoena request for GitHub. "Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists. It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public."

4 of 47 comments (clear)

  1. I'll bet an Uber developer leaked it by jtara · · Score: 5, Insightful

    Now, why would they be asking about a gitHub gist?

    I'll bet one of Uber's own developers leaked the key. Presumably, by accident.

  2. Just a distraction from the real fail... by NimbleSquirrel · · Score: 5, Interesting

    Any hacker with any decent opsec would not be showing their actual IP address. The subpoena request is just smoke and mirrors to hide Uber's own security fail. Even if GitHub were to hand over the data, they would likely find nothing useful. Uber know that GitHub will not hand over that data without a fight. I am willing to bet that Uber are going to start claiming that the hack isn't their fault because GitHub won't hand over the data. If Uber already know the public IP of the hacker, why do they need the info from GitHub to proceed? Meanwhile the actual security fail of Uber making their database access info publicly accessible gets overlooked.

    1. Re:Just a distraction from the real fail... by hawguy · · Score: 5, Insightful

      Any hacker with any decent opsec would not be showing their actual IP address. The subpoena request is just smoke and mirrors to hide Uber's own security fail. Even if GitHub were to hand over the data, they would likely find nothing useful. Uber know that GitHub will not hand over that data without a fight. I am willing to bet that Uber are going to start claiming that the hack isn't their fault because GitHub won't hand over the data. If Uber already know the public IP of the hacker, why do they need the info from GitHub to proceed? Meanwhile the actual security fail of Uber making their database access info publicly accessible gets overlooked.

      Because they think it was a crime of opportunity, which sounds like a reasonable supposition -- the hacker stumbled across the key in Github, then either gave (or sold) the key to someone else to do the hack, or did the hack himself. Clearly he wouldn't have downloaded the data using his own IP address, but it's entirely possible that when he found the key on Github, he was using a traceable IP.

      By admitting that one of their developers leaked the key himself on Github, it seems a little late for them to claim that they have no responsibility for the breach.

  3. I'm an expert! Trust me! by nikhilhs · · Score: 5, Funny

    After watching years of Law and Order, I feel I'm qualified to make a judgement. ;)

    This sounds like a fishing expedition. (DUN DUN)