Attacks/Breaches

12/7/2017
10:31 AM
50%
50%

Uber Used $100K Bug Bounty to Pay, Silence Florida Hacker: Report

Uber also performed a forensic analysis of the man's computer to ensure he had deleted the stolen information, Reuters said.

Uber reportedly paid a 20-year-old Florida man behind its massive data breach $100,000 from its bug bounty program to keep mum about the cyberattack and to delete the stolen data.

A Reuters report quotes unnamed sources familiar with the breach event as saying that Uber paid the man in order to confirm his identity, and had him sign a nondisclosure agreement to prevent him from doing any further damage. Uber also performed a forensic investigation on the man's computer to ensure he had deleted the stolen information.

The man reportedly paid another individual to steal Uber credentials from GitHub, which ultimately led to the Uber systems breach. According to a source quoted in the Reuters report, the man was "living with his mom in a small home trying to help pay the bills."

Uber's use of a bug bounty for the payment was an unusual move: bug bounty payments normally range from $5,000 to $10,000.

See Reuters' full article here.

 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
12/7/2017 | 1:30:24 PM
Oh Really???? The data IS DELETED?
Hard drive - put in a safe deposit box.  Think about it.  Tiny mental morons at work at Uber.  Well, they can always go to Equifax.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6681
PUBLISHED: 2018-07-17
Abuse of Functionality vulnerability in the web interface in McAfee Network Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via appliance web interface.
CVE-2018-13864
PUBLISHED: 2018-07-17
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.
CVE-2018-14338
PUBLISHED: 2018-07-17
samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms (other than Apple platforms) where glibc is not used, possibly leading to a buffer overflow.
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.