Uber paid 20-year-old Florida man to keep data breach secret, sources said

A 20-year-old Florida man was responsible for the large data breach at Uber Technologies last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been
disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of $100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 to $10,000 range.

HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.

According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data
stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.

Tokyo’s Secret, Members-Only Nintendo-Themed Bar

To get into the private Nintendo-themed bar “84,” you gotta either be a member or know someone. Its address isn’t listed and the establishment is strictly card-carrying members only. No wonder the door makes a Zelda secret sound when opened.

Website Tofugu recently profiled 84, which is read as “Hashi.” The name is a wordplay on the owner’s last name Hashimoto, chopsticks (“hashi” in Japanese), and World 8-4 (“hachi” is eight and “shi” is four). 

The bar doesn’t have a sign on the street, and you’d have to know where it’s located to find the spot. 

“To become an official member, associate members are required to come to 84 five times as well as do two ‘meetings,’” Hashimoto told Tofugu. “By that I mean chat and drink with me and another official member. I just want to get to know them. Then, they can become official members and get an official member card. See, they’re shaped like Famicom cartridges!”

According to Hashimoto, around half of 84’s members are game developers, while the other half are comedians, manga artists, musicians, wrestlers and some regular folks. From the sound of it, this bar is a place game creators can go and chill.

The only people Hashimoto has refused as members are folks who’ve been too excited to see game devs and wanted to bother and pester them, instead of leaving them alone. 

The bar is filled with autographs and memorabilia. Not everything is Nintendo related!

The Legend of Zelda series executive producer Eiji Aonuma drew Link using chopsticks. [Image: Tofugu]
A Kirby plate signed by Masahiro Sakurai. [Image: Tofugu]
A drawing by Takashi Tezuka. [Image: Tofugu]
Shigeru Miyamoto, however, wouldn’t draw Mario using chopsticks. [Image: Tofugu]
Dragon Quest creator Yuji Horii drew a Slime, writing “Life is role playing.” [Image: Tofugu]
Here are signatures and drawings from Game Freak devs. [Image: Tofugu]
Mother creator Shigesato Itoi. [Image: Tofugu]
Koji Kondo signed sheet music. [Image: Tofugu]
Told you everything wasn’t Nintendo themed. [Image: Tofugu]

For more, check out Tofugu’s article right here. 


Kotaku East is your slice of Asian internet culture, bringing you the latest talking points from Japan, Korea, China and beyond. Tune in every morning from 4am to 8am.

Call of Duty WW2 Funny Moments – Captain Jack’s Idiot Platoon

https://www.youtube.com/check out?v=q1bnLzRpx7s

Down load and Engage in Monster Legends Below:

Contest Phrases and Ailments:
NO Obtain Necessary. Open up TO Authorized Citizens OF Participating TERRITORIES. AT The very least 13 A long time OF AGE. CONTEST Commences AT 20:00:01 (UTC) ON NOVEMBER 17TH, 2017 AND Finishes AT 19:59:59 (UTC) ON NOVEMBER 24TH, 2017. VOID Where PROHIBITED Subject TO THE Official Policies Positioned AT

BasicallyIDoWrk –
Nogla –
Wildcat –
Moo Snuckel –

Vanoss Merch In this article!:

Hear to the Outro song In this article:

Follow me on Twitter –
Fb Page –
Instagram –

Please Overlook or flag spam, adverse, or hateful comments. We are here to have a superior time. Thanks anyone, and appreciate :]