Slashdot Mirror
Uber Concealed Cyberattack That Exposed 57 Million People's Data (bloomberg.com)
According to Bloomberg, hackers stole the personal data of 57 million customers and drivers from Uber. The massive breach was reportedly concealed by the company for more than a year. From the report: Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit card details, trip location info or other data were taken, Uber said. At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers $100,000 to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Here's how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Sure, you can trust them to delete the data they stole.
They won't just take your hush money and sell the data anyway.
No Social Security numbers, credit card details, trip location info or other data were taken, Uber said.
Given Uber's track record, this is the guarantee equivalent of "The check's in the mail" and "No, those jeans don't make you look fat."
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
All California drivers for Uber should file a complaint here with the AG:
https://www.oag.ca.gov/privacy/databreach/reporting
My complaint states:
Uber failed to notify thousands of California drivers for Uber of a PII data breach in violation of Calliforonia Civ. Code s.1798.82(a).
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
I guess that's OK, to just resign and not tell anyone.
I'm sure CEOs and such love stuff like this, because they can short their stock and make a ton of money due to the time between finding out and when the security breach has to go public. Heck, not just personal holdings, but selling the "hot tips" can bring in the dosh as well.
. . . let's talk about how much it will cost to delete the backup copy.
And next week, we can talk about how much it will cost to delete the secondary backup.
And eventually, we'll need to talk about the offsite backups.
I despise the "gig economy". It does nothing but disenfranchise people. I'm not defending corporate behemoths who also act like asshats (most of them), but a nice corporate job can be stable, come with benefits, etc. The gig economy sucks. I would rather cut grass with the illegal Mexicans than drive for a shady corporation making money on the backs of the desperate. Here in Texas, people cut grass for 10 months of the year in the southern part of the state where I live. At an average of $50 a yard and 10 yards a day, a man can make $500 a day. X5=2500, X4=10000. After gas, oil, and taxes, you are keeping around $7000. Not a bad job. Yes, it's work, but that's what's wrong with America and much of the world anymore. No one wants to actually do real physical labor. They'd rather sit.
So the people who didn't disclose an October 2016 attack until now assure us about the details of what was copied? Forgive me if I don't think it wise to trust the statements of those who don't disclose problems to the adversely affected in a timely manner. We've seen so many examples of other organizations later disclose that their attacks were worse than they first let on, it'll be noteworthy if this is merely late in coming and not both late and incomplete reporting.
Digital Citizen
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
-- Rudyard Kipling
>"Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company."
Translation:
The Uber employees used the SAME logins/passwords on a GITHub site that was on the Internet as their credentials on ANOTHER site that handles their production data which was also on the Internet!
Huge no-no!!! #1 rule- keep passwords private and secure/undisclosed. #2 rule- never use the same credentials on multiple sites (especially critical sites... most especially anything accessible on the Internet). This is like security 101...
The production site:
1) allowed access from public net with nothing more than a simple text password
2) developers had access to production
Why are these problems?
1a) Developers are operationally stupid and lazy. They do dumb ass things like use the same login/password everywhere.
1b) Access to production should always be limited to sysadmins/operations staff.
1c) Access should require multiple authentication and be through vpn.
2) Developers are operationally stupid and lazy. That's one of many reasons we don't allow them access to production at companies run by adults.
What have we learned (or further confirmed) about Uber?
1) Uber is not run by adults
2) Uber is evil and stupid and lazy
3) Developers are stupid and lazy
4) Uber should be put out of its misery asap but won't because they're "too big to fail" and have the backing of too many people with a lot more money than ethics or morals
Uber is what happens when money is the *only* thing a company cares about. Losing data in stupid ways, lying about it, lying about the lies, abusing women staffers, abusing women execs, abusing customers, abusing drivers, abusing the local government of every city they operate in, cheating the taxi companies (yes they are scumbags too but Uber has managed to out scumbag them), and generally making the other evil big name companies like Facebook, Google, Microsoft, and Apple look like fucming saints by comparison required tremendous active effort.
Uber didn't become that evil by accident. It starts at the top and works it's way through the entire organization until anyone insufficiently evil gets snuffed out. It cannot be purged except by death of the entire company. I do hope they stay in business however. Otherwise their scum will spread across the entire tech industry and take their evil ideas with them everywhere. It is much better all the shitty people stay in one place together. Keep in mind where they learned to behave if you see an Uber resume.
It’d been quiet on the Uber front for a couple months... I was getting really worried.
Thank heavens things are back to normal!
#DeleteChrome
I had assumed they had done something stupid like hardcoded their AWZ account information in some source or maybe just mentioned it in a comment somewhere rather than used the same password for both.
In order to install Bixby on a Galaxy S8, you have to accept Uber's terms of service and allow Samsung to send your data to Uber. Thanks but no thanks, Samsung.
I can do whatever I want to you and destroy the taxi industry. Then I'll create a backdoor to my crapware so "hackers" can get in and I can sell all you personal information to whomever I want.
Yeah, I thought of that after I posted. Quite possible, and even more stupid!
You see, there's this secret new veri[REDACTED] delete [REDACTED] that's been ... [REDACTED - nice try "A.C." - see you real soon...]