Hackers behind Uber and Lynda hacks plead guilty in data breaches

Two hackers have pleaded guilty to hacking Uber and LinkedIn’s Lynda.com service in 2016 and attempted to extort money from the two companies.

Brandon Charles Glover and Vasile Mereacre are two hackers that have pleaded guilty to hacking Uber and LinkedIn’s Lynda.com service in 2016. The defendants have also attempted to extort money from the companies requesting them to pay ‘bug bounties’ to avoid publicly disclose the data breaches.

In November 2017, Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.

According to a report published by Bloomberg, the hackers obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

At the time, Uber decided to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. Uber sent Glover and Mereacre two payments of $50,000 in bitcoin and asked them to sign nondisclosure agreements.

In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices. The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.

In September 2018, Uber agreed to pay $148 million settlement with US States and the District of Columbia over the massive 2016 data breach that exposed personal data of 57 million of its users.

Lynda.com is an online learning platform that was acquired by LinkedIn in 2015. In 2016, the company warned its 9.5 million customers about the breach, even is only 55,000 accounts were official affected.

This week, Glover and Mereacre, appeared before Judge Lucy Koh of the United States District Court for the Northern District of California. 

Both admitted stealing users’ data from companies that were stored on Amazon Web Services, the theft took place between October 2016 and January 2017, then the duo demanded to be paid to destroy the data.

The story was different for the hack of Lynda.com because LinkedIn refused to pay the hackers and attempted to identify them.

The duo now faces up to five years and prison and a $250,000 fine. The next hearing has been scheduled for March 18 before U.S. District Judge Lucy Koh.

Pierluigi Paganini

(SecurityAffairs –
Xhelper, malware)

Share On