Uber revealed Tuesday that hackers stole data on 57 million drivers and riders in October 2016, the ride-hailing company said on Tuesday.
The pilfered data included personal information such as names, email addresses and driver's license numbers, the company said. Social Security numbers and credit card information, however, didn't appear to have been compromised.
Dara Khosrowshahi, Uber's new CEO, and the company said in a trio of statements that he learned of the breach "recently," but the company had discovered it in November 2016. Uber paid $100,000 for the data thieves to delete the information at the time.
The data was stored on an Amazon Web Services cloud account, and "two individuals outside the company" accessed and downloaded the information, he said. The company believes the data has since been deleted, he added, and there are no signs of fraud stemming from the breach.
The company now believes it had a legal obligation to disclose the breach.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Uber said it doesn't think riders need to worry. The company thinks about 600,000 drivers were affected, and it's offering them credit monitoring and identity theft protection.
By all accounts, Uber has had a terrible year. It's been wracked with scandals and saw a spectacular fall from grace that led to the ouster of its former CEO Travis Kalanick and five separate Department of Justice investigations.
Since Khosrowshahi was appointed in August, the company has been getting back on its feet. But, Khosrowshahi has a lot to clean up. Uber is dealing with a slew of lawsuits brought by investors, drivers and passengers. The company is still also ironing out kinks with regulators in major cities, like London, Sao Paulo and Copenhagen.
This isn't the first hack into Uber's data. The company was hit with a cyberattack in May 2014 that put up to 50,000 former and current Uber drivers' personal information at risk. The company was slow to reveal that attack too. It didn't announce the attack until eight months after it was discovered.
In its information page for drivers, Uber said it didn't tell drivers right away when it found the problem. "We think this was wrong, which is why we are now taking the actions we've described," the company said.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.