Two men reportedly face a up to five years in prison after pleading guilty in federal court on Wednesday to hacking into Uber’s and Lynda.com’s databases and holding their contents for ransom.
According to reports, Brandon Glover of Winter Springs, Florida and Vasile Mereacre of Toronto, Canada, admitted to hacking into the GitHub accounts of Uber and Lynda.com employees in 2016. These accounts contained credentials for Amazon Web Services, which they used to access AWS servers holding the companies’ precious data.
The Uber breach impacted 57 million customers and drivers, located worldwide, while the breach of Lynda.com, an online learning platform subsidiary of LinkedIn (later rebranded LinkedIn Learning), affected 90,000 customer accounts. In both cases, the defendants in the case attempted to extort a payment from the companies in the guise of a “reward.”
A superseding indictment issued on Oct. 30 by the U.S. Attorney’s Office offered a closer look at the breaches and how the victims responded.
At one point, the defendants sent an email to LinkedIn describing the data they managed to grab. “Before I continue, I would like to say that this does not look good, I was able to access backups upon backups , me and my team would like a huge reward for this, [sic]. The things we found were some of the following, [L]ynda database, email names addresses, usernames, some passwords, payments, we also found backend code and many more.” The email later continues, “Before I continue, I would like to ask that you guys will promise to compensate for this find.”
Lynda.com opted to publicly disclose the breach rather than pay up. Uber, on the other hand agreed to pay the hackers $100,000, and originally kept the incident quiet. According to the superseding indictment, Uber had Glover and Mereacre sign confidentiality agreements stipulating that they would not use the stolen use or publicly expose the breach.
Later, under new leadership, the company on Nov. 22, 2017 publicly owned up to the breach and its subsequent cover-up, and in September 2018 accepted a settlement of a $148 million fine from the Federal Trade Commission for its actions.