Two men plead guilty to 2016 Uber and LinkedIn hacks

The pair used stolen AWS account credentials to access 57 million Uber customer accounts

Two men have pleaded guilty to a 2016 hack against systems belonging to Uber and LinkedIn and to holding stolen data to ransom.

Florida resident Brandon Glover and Canadian Vasile Mereacre appeared in court on Wednesday on charges of extortion and computer hacking.

The pair confessed that they used Amazon Web Service credentials to access customer data from both companies and demanded bitcoin payments for its deletion.

Uber had 57 million of its customer accounts breached in October 2016, however, following an attempted cover-up by the company, the extent of the breach was only revealed until the following year.

The pair then attacked LinkedIn-owned Lynda.com, now LinkedIn Learning, where they gained access to 55,000 customer accounts in December 2016. LinkedIn immediately referred the incident to the police, at which point the full extent of the pair's activities came to light.

"In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries," said John Bennett, the FBI special agent leading the case against the pair, speaking to The New York Times. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."

Stolen credentials

The case was presided over by Judge Lucy Koh, the same official that mediated on Yahoo's financial penalty following the breach of its systems in 2013.

Judge Koh heard that Glover and Mereacre used hacked Uber and Lynda employee AWS credentials to gain access to the data. In both breaches, the pair then attempted to contact security officials at the companies using pseudonyms and untraceable accounts, demanding for bitcoin payments in exchange for the information.

In October 2016, officials from the ride-hailing firm tried to conceal the incident and reach a deal with the two men by paying them through a bug bounty website. However, in Uber's case, the hackers were not invited to test its systems and were asked to sign nondisclosure agreements in exchange for two payments of $50,000 in bitcoin.

However, when contacted by the hackers in December 2016, security officials at Lynda.com ignored this and immediately notified authorities of the hack.

Uber's failure to disclose the breach led to an investigation and $148 million settlement. Joe Sullivan, the chief security officer at the time, was ousted for presiding over the deal and failing to notify the victims of the breach. Former CEO Travis Kalanick, who left the company shortly after following accusations of sexism and poor working practices, was also reportedly aware of the breach during this time.

Having pleaded guilty, Glover and Mereacre will be sentenced in 2020 and could face five years in federal prison and a fine of up to $250,000.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021