Two men pleaded guilty today to hacking Uber and LinkedIn’s Lynda.com service back in 2016 and extorting both companies into paying “bug bounties,” so the two would not publicly disclose the breaches.
The two men are Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto.
How they hacked Uber & LinkedIn
According to court documents, in 2016, the two used “their custom-built GitHub account checker tool” to test credentials leaked at other sites against GitHub’s service.
They specifically targeted credentials for corporate employees, so they could breach high-value GitHub accounts and look for sensitive information.
Once they breached accounts, Glover and Mereacre would search companies’ GitHub projects for Amazon Web Services (AWS) credentials.
The two used these AWS credentials to connect to companies’ backends and retrieve sensitive data, such as user details or backups.
Court documents said the two had success in obtaining around 57 million user and driver records from Uber, and another 90,000 user details from Lynda.com, an educational website owned by LinkedIn.
The Uber extortion
With user data in possession, Glover and Mereacre created a Protonmail email address that they then used to contact the hacked companies.
They began with Uber in early November 2016, when they contacted the company’s Chief Security Officer. The two hackers claimed they “found a major vulnerability,” and provided a sample of the stolen data.
The two demanded a $100,000 payment in bitcoin, to which Uber agreed. The payment was handled via the company’s HackerOne bug bounty program, and Uber required the two hackers to sign a confidentiality agreement prohibiting the use of the data and public disclosure of the security breach.
Uber managed to keep its security breach quiet for more than a year, until November 2017, when Uber’s new leadership learned of the company’s past cover-up and decided to go public.
At the time, Uber execs told various news outlets that they knew who was behind the attacks — naming a hacker in Florida and another one in Canada.
For its cover-up, the FTC placed Uber under a strict security audit, and the company was fined in the UK (£385,000) and the Netherlands (€600.000). It also agreed to pay $148 million in a class-action lawsuit settlement.
The LinkedIn extortion
But while the Uber extortion played well for the hacker duo, things didn’t go the same with LinkedIn. Court documents reveal that when Glover and Mereacre reached out to LinkedIn in December 2016, the company entertained their extortion attempt, but chose to go public with the security breach after confirming its validity.
In their extortion attempt, the two hackers also tried to raise the ransom demand to a seven-digits figure.
“[P]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to 7 digits,” the two wrote in an email.
Law enforcement started an investigation shortly after Uber went public. Glover was arrested first. Mereacre was arrested in October 2018, when he visited Miami, TechCrunch reported at the time.
Today, the two pleaded guilty in a California court. The New York Times, which first reported the guilty plea, said the two face up to five years in prison and a $250,000, each.