Security Historical

Uber Pays Hackers $100,000 to Conceal Breach Affecting 57 Million Users and Drivers

Bloomberg
Uber Pays Hackers $100,000 to Conceal Breach Affecting 57 Million Users and Drivers
Uber app on a smartphone screen, representing the ride-hailing platform that paid to conceal a breach of 57 million users.Image: Wikimedia Commons

What happened

Hackers accessed Uber's GitHub repository, found AWS credentials in code, and downloaded data for 57 million riders and drivers in late 2016. Uber's security team paid the attackers $100,000 through its bug bounty program to delete the data and stay silent, concealing the breach from regulators and the public for a year.[1]

Uber paid hackers $100,000 to delete stolen data and stay quiet — concealing a breach of 57 million rider and driver records for over a year.Image: Bad.Technology archive
Uber app logo and brand on a smartphone screen
Image: Bad.Technology archive

What went wrong

AWS credentials were committed to a private GitHub repository and never rotated. Uber's security leadership then made the deliberate decision to pay the attackers as a "bug bounty" rather than disclose the breach — a decision that resulted in criminal charges against its CSO.[1]

Lesson learned

Secrets must never be stored in source code, even in private repositories. Breach disclosure is a legal obligation in most jurisdictions; concealment compounds the original failure into a criminal matter. Cover-ups cost far more than the breach itself.

Est. value burned ~$148M $148M state AG settlement
breachcover-upgithubbug-bounty-abuseregulatoryUS

Sources

  1. [1]
    Bloomberg Wikipedia
    Uber Pays Hackers $100,000 to Conceal Breach Affecting 57 Million Users and Drivers Wayback Machine snapshot

External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.

More in Security