Two men plead guilty to 2016 Uber and LinkedIn hacks

The pair used stolen AWS account credentials to access 57 million Uber customer accounts

Two men have pleaded guilty to a 2016 hack against systems belonging to Uber and LinkedIn and to holding stolen data to ransom.

Florida resident Brandon Glover and Canadian Vasile Mereacre appeared in court on Wednesday on charges of extortion and computer hacking.

The pair confessed that they used Amazon Web Service credentials to access customer data from both companies and demanded bitcoin payments for its deletion.

Uber had 57 million of its customer accounts breached in October 2016, however, following an attempted cover-up by the company, the extent of the breach was only revealed until the following year.

The pair then attacked LinkedIn-owned Lynda.com, now LinkedIn Learning, where they gained access to 55,000 customer accounts in December 2016. LinkedIn immediately referred the incident to the police, at which point the full extent of the pair's activities came to light.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries," said John Bennett, the FBI special agent leading the case against the pair, speaking to The New York Times. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."

Stolen credentials

The case was presided over by Judge Lucy Koh, the same official that mediated on Yahoo's financial penalty following the breach of its systems in 2013.

Judge Koh heard that Glover and Mereacre used hacked Uber and Lynda employee AWS credentials to gain access to the data. In both breaches, the pair then attempted to contact security officials at the companies using pseudonyms and untraceable accounts, demanding for bitcoin payments in exchange for the information.

In October 2016, officials from the ride-hailing firm tried to conceal the incident and reach a deal with the two men by paying them through a bug bounty website. However, in Uber's case, the hackers were not invited to test its systems and were asked to sign nondisclosure agreements in exchange for two payments of $50,000 in bitcoin.

However, when contacted by the hackers in December 2016, security officials at Lynda.com ignored this and immediately notified authorities of the hack.

Advertisement - Article continues below

Uber's failure to disclose the breach led to an investigation and $148 million settlement. Joe Sullivan, the chief security officer at the time, was ousted for presiding over the deal and failing to notify the victims of the breach. Former CEO Travis Kalanick, who left the company shortly after following accusations of sexism and poor working practices, was also reportedly aware of the breach during this time.

Having pleaded guilty, Glover and Mereacre will be sentenced in 2020 and could face five years in federal prison and a fine of up to $250,000.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020