Advertisement

Hackers who tried extorting Uber, Lynda plead guilty

Uber portrayed its payment to the hackers as a bug bounty reward.
Uber settlement
(Getty)

Two men pleaded guilty on Wednesday to charges related to hacking Uber and LinkedIn subsidiary Lynda.com in 2016, then trying to blackmail both companies into paying them to keep quiet about the incidents.

Brandon Glover, a 26-year-old Florida man, and Vasile Mereacre, a 23-year-old Canadian, acknowledged their role iin a scheme to access personal information belonging to tens of millions of customers.

The men said they were able to obtain customers’ information from Uber and Lynda by accessing Amazon Web Services accounts from both companies’ employees, then downloading troves of data. Then, they anonymously contacted security teams from both companies, promising to remain silent in exchange for hundreds of thousands of dollars.

Uber agreed to the terms, saying it would pay the hackers $100,000 in bitcoin that the company later classified as a bug bounty payment, as long as the thieves would sign confidentiality agreements about the breach affecting 57 million people. The security team used information made available when the hackers reported the vulnerabilities to find them at their homes in Canada and Florida to force them to sign the necessary forms.

Advertisement

Lynda refused, alerting its customers in December 2016 about a breach in which 55,000 accounts were impacted.

Uber executives revealed in November 2017 that the company had paid hackers in two installments of $50,000 in bitcoin, triggering legal action that would ultimately result in Uber paying $148 million to settle an investigation into the matter.

The defendants used an encrypted email address, “johndoughs@protonmail.com,” to contact the companies. They also claimed they had been paid by other companies for finding security flaws in their systems.

Both men face a maximum of five years in prison and a $250,000 when they are sentenced.

The incident at Uber ultimately led to the dismissal of chief security officer Joe Sullivan, and the departure of founder and CEO Travis Kalanick. Sullivan went on to work at Cloudflare, while Kalanick ultimately would sell $1.4 billion in stock as part of his exit from the company amid a string of controversies.

Advertisement

[documentcloud url=”http://www.documentcloud.org/documents/6534936-Uber-Plea.html” responsive=true]

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts