[BreachExchange] Two hackers behind 2016 Uber data breach have been indicted for another hack

Destry Winant destry at riskbasedsecurity.com
Mon Oct 29 03:25:48 EDT 2018


Two hackers who stole millions of users’ data from ride-hailing firm
Uber have been indicted on separate hacking charges related to a data
breach at online learning portal Lynda, two people familiar with the
case have told TechCrunch.

Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon
Glover, a Florida resident, were indicted earlier this month in
Florida on federal hacking and extortion charges for stealing data on
55,000 Lynda users’ accounts.

According to the recently unsealed indictment, the FBI was considering
extraditing Mereacre from Canada, but federal agents later learned
that he was planning to fly to Miami on October 16. Mereacre was
arrested by FBI agents once he landed, and made his initial appearance
in court — at which the indictment was unsealed.

The indictment accuses the two alleged hackers of obtaining tens of
thousands of Lynda  user accounts from a company-owned Amazon web
server. Prosecutors accused the two of “exerting control over the
accounts as a means to obtain money from LinkedIn.” Using a burner
Protonmail email account, the two emailed LinkedIn and HackerOne, a
bug bounty program used by Lynda, to disclose the breach.

“I was able to access backups upon backups,” one of the defendants
wrote in their email. They also claimed to have usernames, passwords,
payment data and backend code.

When an unnamed LinkedIn executive emailed back inviting the alleged
hackers to its HackerOne bug bounty program, they said to “keep in
mind, we expect a big payment as this was hard work for us.”

The two were released on a bond, and on condition that they are not
permitted to use the internet. The case is now being heard in a
California court.

The accusations are nearly identical to the circumstances around
Uber’s breach, just months earlier.

Uber disclosed the breach of 57 million worldwide users — including
4.1 million drivers — almost a year later. The company was accused of
covering up the breach, after two former senior Uber executives —
since fired — paid the two hackers $100,000 through its bug bounty to
destroy the data that they obtained but without notifying customers or

Little was known about the hackers until Uber’s chief information
security officer John Flynn told lawmakers at a Senate Commerce
Committee hearing in February that the two hackers were from Florida
and Canada.

Uber declined to comment.

The hackers gained access to an Amazon web server, owned by Uber,
using credentials that were mistakenly left in a GitHub repository by
an Uber engineer. According to an investigation by the Federal Trade
Commission, the hackers downloaded more than a dozen files — including
a backup file — containing Uber customer data. It’s not known what was
said in the disclosure to Uber, but the FTC claimed the hackers were
“demanding” a six-figure payout.

The breach was one of several scandals to plague the ridesharing
company and the eventual departure of founder Travis Kalanick from the

Since the breach, Uber agreed to 20 years of privacy audits in a
settlement with the FTC. The company was later ordered to pay $148
million in its breach settlement.

A spokesperson for the Justice Department did not respond to a request
for comment, nor did Glover’s public defender Michael Ryan. Mereacre’s
attorney, Christopher Lyons, declined to comment. HackerOne did not

LinkedIn spokesperson Mary-Katharine Juric said: “We appreciate the
ongoing work by the FBI to pursue those believed responsible for the
2016 breach of Lynda user information. We will continue to engage with
law enforcement as this case develops.”

Parts of Glover’s docket appear to have been withheld. Mereacre will
appear in court on November 8.

More information about the BreachExchange mailing list