Two men plead guilty to 2016 Uber and LinkedIn hacks

The pair used stolen AWS account credentials to access 57 million Uber customer accounts

Two men have pleaded guilty to a 2016 hack against systems belonging to Uber and LinkedIn and to holding stolen data to ransom.

Florida resident Brandon Glover and Canadian Vasile Mereacre appeared in court on Wednesday on charges of extortion and computer hacking.

The pair confessed that they used Amazon Web Service credentials to access customer data from both companies and demanded bitcoin payments for its deletion.

Uber had 57 million of its customer accounts breached in October 2016, however, following an attempted cover-up by the company, the extent of the breach was only revealed until the following year.

The pair then attacked LinkedIn-owned Lynda.com, now LinkedIn Learning, where they gained access to 55,000 customer accounts in December 2016. LinkedIn immediately referred the incident to the police, at which point the full extent of the pair's activities came to light.

"In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries," said John Bennett, the FBI special agent leading the case against the pair, speaking to The New York Times. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."

Stolen credentials

The case was presided over by Judge Lucy Koh, the same official that mediated on Yahoo's financial penalty following the breach of its systems in 2013.

Judge Koh heard that Glover and Mereacre used hacked Uber and Lynda employee AWS credentials to gain access to the data. In both breaches, the pair then attempted to contact security officials at the companies using pseudonyms and untraceable accounts, demanding for bitcoin payments in exchange for the information.

In October 2016, officials from the ride-hailing firm tried to conceal the incident and reach a deal with the two men by paying them through a bug bounty website. However, in Uber's case, the hackers were not invited to test its systems and were asked to sign nondisclosure agreements in exchange for two payments of $50,000 in bitcoin.

However, when contacted by the hackers in December 2016, security officials at Lynda.com ignored this and immediately notified authorities of the hack.

Uber's failure to disclose the breach led to an investigation and $148 million settlement. Joe Sullivan, the chief security officer at the time, was ousted for presiding over the deal and failing to notify the victims of the breach. Former CEO Travis Kalanick, who left the company shortly after following accusations of sexism and poor working practices, was also reportedly aware of the breach during this time.

Having pleaded guilty, Glover and Mereacre will be sentenced in 2020 and could face five years in federal prison and a fine of up to $250,000.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021