A 20-year-previous Florida man was answerable for the massive data breach at Uber Technologies final yr and was paid by Uber to destroy the data by way of a so-referred to as “bug bounty” program usually used to determine small code vulnerabilities, three individuals accustomed to the occasions have advised Reuters.
Uber introduced on Nov. 21 that the private data of 57 million customers, together with 600,000 drivers within the United States, have been stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the knowledge. But the corporate didn’t reveal any details about the hacker or the way it paid him the cash.
Uber made the cost final yr via a program designed to reward safety researchers who report flaws in an organization’s software program, these individuals said. Uber’s bug bounty service – as such a program is understood within the business – is hosted by an organization referred to as HackerOne, which presents its platform to various tech corporations.
Reuters was unable to set up the id of the hacker or one other one that sources said helped him. Uber spokesman Matt Kallman declined to touch upon the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s prime safety officers when he introduced the breach final month, saying the incident ought to have been
disclosed to regulators on the time it was found, a few yr earlier than.
It stays unclear who made the ultimate determination to authorize the cost to the hacker and to keep the breach secret, although the sources said then-CEO Travis Kalanick was conscious of the breach and bug bounty cost in November of final yr.
Kalanick, who stepped down as Uber CEO in June, declined to touch upon the matter, in accordance to his spokesman.
A cost of $100,000 via a bug bounty program can be extraordinarily uncommon, with one former HackerOne government saying it might symbolize an “all-time record.” Security professionals said rewarding a hacker who had stolen data additionally can be properly outdoors the traditional guidelines of a bounty program, the place funds are sometimes within the $5,000 to $10,000 vary.
HackerOne hosts Uber’s bug bounty program however doesn’t handle it, and performs no position in deciding whether or not payouts are applicable or how giant they need to be.
HackerOne CEO Marten Mickos said he couldn’t talk about a person buyer’s packages. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service types.
According to two of the sources, Uber made the cost to affirm the hacker’s id and have him signal a nondisclosure settlement to deter additional wrongdoing. Uber additionally carried out a forensic evaluation of the hacker’s machine to be sure the data had been purged, the sources said.
One supply described the hacker as “living with his mom in a small home trying to help pay the bills,” including that members of Uber’s safety group didn’t need to pursue prosecution of a person who didn’t seem to pose an extra menace.
The Florida hacker paid a second individual for providers that concerned accessing GitHub, a website extensively utilized by programmers to retailer their code, to get hold of credentials for entry to Uber data
saved elsewhere, one of many sources said.
GitHub said the assault didn’t contain a failure of its safety techniques. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that firm said in a press release.