A couple of weeks ago we learned that Uber suffered from a hack affecting 57 million users worldwide. The company only came clean about the hack 13 months after it took place, as Uber's former chief of security paid the hacker $100,000 under the guise of a bug bounty to keep it under wraps. Now, some new details have come to light regarding the hacker, and how he was paid.
A Reuters report citing sources familiar with the matter claims that a 20 year-old from Florida was responsible for Uber's 2016 data breach. During the attack, he managed to obtain the details of 50 million passengers and 7 million drivers. 2.7 million of the users affected were from the UK.
In order to cover the attack up, Uber used its bug bounty service hosted by HackerOne. The bounty program is intended to reward security researchers who bring bugs to the company's attention so that a fix can be put into place. Traditionally, these programs are not used to reward those who hack and extort a company.
A payment of $100,000 was sent through the bug bounty program to the hacker. Such a high payment would be ‘extremely unusual' and would represent an all-time record, according to one former HackerOne executive cited in the report. Usually, bounty program payments fall in the $5000 to $10,000 range. It is important to note that while HackerOne hosts Uber's bug bounty program, it does not manage it, nor does it have a hand in setting Uber's prices for bounty payments.
KitGuru Says: The Uber hack was clearly handled poorly, particularly since paying off data thieves encourages others to attempt the same thing. Hopefully this will serve as a lesson to other companies going forward.