Uber Pays Hackers $100,000 to Conceal Breach Affecting 57 Million Users and Drivers
What happened
Hackers accessed Uber's GitHub repository, found AWS credentials in code, and downloaded data for 57 million riders and drivers in late 2016. Uber's security team paid the attackers $100,000 through its bug bounty program to delete the data and stay silent, concealing the breach from regulators and the public for a year.[1]
What went wrong
AWS credentials were committed to a private GitHub repository and never rotated. Uber's security leadership then made the deliberate decision to pay the attackers as a "bug bounty" rather than disclose the breach — a decision that resulted in criminal charges against its CSO.[1]
Lesson learned
Secrets must never be stored in source code, even in private repositories. Breach disclosure is a legal obligation in most jurisdictions; concealment compounds the original failure into a criminal matter. Cover-ups cost far more than the breach itself.