The recent Uber data breach which compromised the personal information of 57 million users was the work of a 20-year-old Florida man, a new report has revealed.
Reuters reports the breach was done by a young man, who was described by a source as “living with his mom in a small home trying to help pay the bills.” The hacker has not been identified.
As previously reported, Uber paid $100,000 to ensure that the hack was kept under wraps, and that the stolen data was destroyed. The new report reveals the hacker was paid through Uber’s bug bounty program.
Normally, bug bounty programs are designed to reward hackers who find flaws in a company’s code. The report notes that payments in a typical bounty program often range between $5,000 and $10,000.
This particular case is different for a few obvious reasons. The money involved — $100,000 — is an extremely high amount to be paid from a bug bounty program. It’s also not a normal move to use such a program to pay off a hacker who stole data from the company.
While the original report claimed Uber was hacked by two people, a source said the hacker paid someone else “to obtain credentials for access to Uber data stored elsewhere” through GitHub.
But GitHub — a site used to store code — told Reuters the attack “did not involve a failure of its security systems.”
The Fallout Continues
The hacker was made to sign a nondisclosure agreement “to deter further wrongdoing,” and Uber also analyzed his computer to ensure the data was properly purged. Ultimately, Uber’s security team didn’t see the hacker as a security threat going forward, and the team elected not to prosecute him.
While this report accounts for many of the previously unknown details behind the hack, Uber will be dealing with the fallout for some time. Congress is seeking further answers about the incident, and the company already faces a number of breach-related lawsuits from a number of states and cities.