The ride-hailing startup revealed last month that in October 2016. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information, the company said.
Uber said it paid $100,000 to the data thieves at the time to delete the information. But the company did not reveal any details about the hacker or how it paid him the money.
Sources familiar with the hack told Reuters the payment was made through a program designed to reward bug hunters who report flaws in a company's software. Uber's bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.
While three sources familiar with the hack told Reuters a Florida man was responsible, the news agency said it was unable to identify the man.
Uber has said hackers accessed names and email addresses, as well as the drivers' license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber said it first became aware of the hack in November 2016. Since that time, CEO Travis Kalanick stepped down and was.
The revelation has gotten the startup in. The New York State Attorney General has opened an investigation into the incident, while the New Mexico Attorney General has sent Uber a letter asking for details of the hack and how the company responded. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack.
Uber may also have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security.
Uber declined to comment, while HackerOne representatives didn't immediately respond to a request for comment.
CNET's Dara Kerr and Laura Hautala contributed to this report.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.