57 Million Hit by Uber Breach: What You Should Know

Uber suffered a data breach in 2016 that exposed the names, email addresses and cellphone numbers of 57 million users and drivers, CEO Dara Khosrowshahi said in a posting on the Uber website today (Nov. 21). He wrote that the license numbers of 600,000 Uber drivers in the United States had also been compromised.

Credit: Mr. Whiskey/Shutterstock

(Image credit: Mr. Whiskey/Shutterstock)

Bloomberg News reported that Uber paid the data thieves $100,000 to not disclose the breach, an allegation that could not independently be confirmed. Khosrowshahi wrote that Uber did not notify regulators of the breach at the time. Bloomberg specified that the breach took place in October 2016.

"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," wrote Khosrowshahi, who took over this summer after founder Travis Kalanick was ousted. "You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it."

No credit-card numbers, bank-account numbers, Social Security numbers or other types highly sensitive information were compromised in the breach, both Uber and Bloomberg said.

MORE: Best Antivirus Software

What You Can Do

If you had an Uber account in October 2016, your biggest worry -- and the chances of this happening are slim unless you're someone pretty important -- is that someone could use your email address and cellphone number to hijack your email account and, if applicable, your attached Google or Yahoo accounts.

The attacker could try to force a password reset, which could be verified by a texted code to your cellphone number, which a thief could theoretically (but not easily) intercept. To prevent such attacks, set up an alternate form of second verification on your primary email account, such as Google Authenticator or other smartphone authentication apps, or a physical U2F key that plugs into a USB slot on a computer.

Bloomberg reported that Uber security head Joe Sullivan, who had been well regarded when he held the same position at Facebook, was let go over the incident, along with a lawyer who reported to Sullivan. The breach was discovered during the course of an independent investigation of Uber's security team that began last month.

Bloomberg also reported that the breach occurred after "attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company."

Then-CEO Kalanick learned of the breach about a month after it happened, Bloomberg said, but Uber chose to stay silent and pay off the attackers to keep quiet because it was negotiating with U.S. government regulators over the company's liability for unrelated privacy violations.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.