X

Florida man, 20, reportedly behind massive hack at Uber

An unidentified man was paid $100,000 to delete the data through a bug bounty program, Reuters reports.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read
Uber

Uber hasn't identified the hacker it paid $100,000 to last year, but Reuters reports its a 20-year-old man in Florida.

 Getty Images

A 20-year-old Florida man was responsible for a massive data breach at Uber last year, although his identity couldn't be established, Reuters reported Wednesday.

The ride-hailing startup revealed last month that hackers stole data on 57 million drivers and riders in October 2016. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information, the company said.

Uber said it paid $100,000 to the data thieves at the time to delete the information. But the company did not reveal any details about the hacker or how it paid him the money.

Sources familiar with the hack told Reuters the payment was made through a program designed to reward bug hunters who report flaws in a company's software. Uber's bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.

While three sources familiar with the hack told Reuters a Florida man was responsible, the news agency said it was unable to identify the man.

Uber has said hackers accessed names and email addresses, as well as the drivers' license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber said it first became aware of the hack in November 2016. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.

The revelation has gotten the startup in hot water with regulators and prosecutors. The New York State Attorney General has opened an investigation into the incident, while the New Mexico Attorney General has sent Uber a letter asking for details of the hack and how the company responded. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack.

Uber may also have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security.

Uber declined to comment, while HackerOne representatives didn't immediately respond to a request for comment.

CNET's Dara Kerr and Laura Hautala contributed to this report.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.