Uber confirmed that hackers breached some part of its network in October 2016 and made off with personal data for 50 million users and 7 million drivers.
In official statements —for riders and drivers— issued today, Uber said hackers made off with names, email addresses, and mobile phone numbers for both customer and rider accounts. In addition, the hackers also downloaded driver's license numbers of around 600,000 US drivers.
Uber said that based on current evidence the hackers did not download location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.
yo i got hacked: pic.twitter.com/3DREI7pETp— Harry Campbell (@TheRideShareGuy) November 21, 2017
The incident took place in October 2016, but the company learned about the hack a month later, in November 2016.
In a separate message posted online by Uber's recently invested CEO Dara Khosrowshahi, the company suspects two hackers were involved in the hack.
Bloomberg, which first broke the story, claims the company paid the two hackers $100,000 to delete the data and keep quiet about the incident. Bloomberg also reported that Uber asked its security chief, John Sullivan, to resign and fired one of the lawyers that acted as Sullivan's assistant.
Khosrowshahi also said it informed law enforcement authorities and the FTC of the hack. The company reached out to regulators only last week, almost a year after the hack, and when it became evident the news was about to break to the public.
After the news broke, New York Attorney General started an investigation into the way Uber handled the hack and for not alerting users and authorities as soon as it learned of the incident.
According to Khosrowshahi, the hackers "inappropriately accessed user data stored on a third-party cloud-based service" that Uber was utilizing to store user data. Khosrowshahi made it clear that hackers "did not breach [Uber's] corporate systems or infrastructure."
From the outside, the breach seems to have taken place because of an unsecured or misconfigured cloud server, most likely a staging system for running tests or other in-dev systems. Such incidents have been rampant in the past two years, with the latest cloud server bungle affecting the US military.
"We continue to see security control misconfigurations that result in costly breaches," Stephan Chenette, CEO and Co-Founder of AttackIQ told Bleeping Computer today. "What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”