Two men plead guilty to 2016 Uber and LinkedIn hacks

The pair used stolen AWS account credentials to access 57 million Uber customer accounts

Two men have pleaded guilty to a 2016 hack against systems belonging to Uber and LinkedIn and to holding stolen data to ransom.

Florida resident Brandon Glover and Canadian Vasile Mereacre appeared in court on Wednesday on charges of extortion and computer hacking.

The pair confessed that they used Amazon Web Service credentials to access customer data from both companies and demanded bitcoin payments for its deletion.

Uber had 57 million of its customer accounts breached in October 2016, however, following an attempted cover-up by the company, the extent of the breach was only revealed until the following year.

The pair then attacked LinkedIn-owned Lynda.com, now LinkedIn Learning, where they gained access to 55,000 customer accounts in December 2016. LinkedIn immediately referred the incident to the police, at which point the full extent of the pair's activities came to light.

Advertisement
Advertisement - Article continues below

"In order to take on those people on the front lines of the cyber security battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries," said John Bennett, the FBI special agent leading the case against the pair, speaking to The New York Times. "Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches."

Stolen credentials

The case was presided over by Judge Lucy Koh, the same official that mediated on Yahoo's financial penalty following the breach of its systems in 2013.

Judge Koh heard that Glover and Mereacre used hacked Uber and Lynda employee AWS credentials to gain access to the data. In both breaches, the pair then attempted to contact security officials at the companies using pseudonyms and untraceable accounts, demanding for bitcoin payments in exchange for the information.

In October 2016, officials from the ride-hailing firm tried to conceal the incident and reach a deal with the two men by paying them through a bug bounty website. However, in Uber's case, the hackers were not invited to test its systems and were asked to sign nondisclosure agreements in exchange for two payments of $50,000 in bitcoin.

However, when contacted by the hackers in December 2016, security officials at Lynda.com ignored this and immediately notified authorities of the hack.

Uber's failure to disclose the breach led to an investigation and $148 million settlement. Joe Sullivan, the chief security officer at the time, was ousted for presiding over the deal and failing to notify the victims of the breach. Former CEO Travis Kalanick, who left the company shortly after following accusations of sexism and poor working practices, was also reportedly aware of the breach during this time.

Having pleaded guilty, Glover and Mereacre will be sentenced in 2020 and could face five years in federal prison and a fine of up to $250,000.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019