Two hackers involved in the 2016 cyber attack on Uber and LinkedIn confessed to their crimes. The hackers will each face up to 5 years in prison and both pay $250,000 fines.
Uber and LinkedIn were hit by a massive cyberattack in 2016. Hackers infiltrated the systems of both companies and blackmailed companies with the data they seized.. When the incident was reflected in official institutions, hackers were pursued.. One of the hackers who carried out this attack was identified as Brandon Glover, 26, and Vasile Mereacre, 23, according to court documents. They used the GitHub account checker tool. They specifically targeted credentials for corporate employees, so they could breach high-value GitHub accounts and search for sensitive information.
When they breached accounts, Glover and Mereacre would search companies’ GitHub projects for Amazon Web Services (AWS) credentials.. These two used these AWS credentials to connect to the company’s backends and retrieve sensitive data such as user details or backups.
Court documents reveal that the two have approximately 57 million user and driver records from Uber and LinkedIn. 90,000 user details were leaked from Lynda.com, an education site.
Holding user data, Glover and Mereacre later created a Protonmail email address to contact the hacked companies.. Contacted Uber in early November 2016.. Two hackers claimed to have found a “major vulnerability” and gave a sample of the stolen data. The duo demanded a $100,000 payment in bitcoin, which Uber accepted. The payment was made through the company’s HackerOne bug bounty program, and Uber required the two hackers to sign a confidentiality agreement banning the use of the data and public disclosure of the vulnerability.. Uber managed to stay silent for more than a year, until November 2017.. The court sentenced Uber to a fine of 385,000 pounds in the UK and 600 thousand euros in the Netherlands for covering up such an event.. The company also agreed to pay an additional $148 million for the lawsuit.
The situation was slightly different with LinkedIn.. The company agreed to pay the hackers but refused the confidentiality agreement. Hackers increase ransom amount to $1 million. However, these requests of the hackers were also not accepted.. The incident was brought to the judicial authorities in a short time.
Two hackers pleaded guilty in California court. The court ordered the two hackers to each pay up to 5 years in prison and $250,000 each.