Uber disclosed late yesterday that it was breached by two hacker-extortionists in October 2016. The ride-service says that 57 million individuals were affected. Riders' names, email addresses and mobile phone numbers were lost, and 600 thousand drivers' names and license numbers were also exposed. User information was lost in many countries around the world; the affected drivers appear to have all worked in the US. Uber is reported to have paid the hackers $100,000 to delete the data and keep quiet about the whole thing.
The breach is said to be traceable to stolen credentials. Bloomberg and others report that the hackers got credentials from a private GitHub site Uber software developers used, and then employed those credentials to access data stored in an Amazon Web Services (AWS) bucket.
The incident and its cover-up were discovered in the course of an investigation of Uber's security team which the company's board commissioned this fall. Uber's CEO, Dara Khosrowshahi, who's been in the job since this September, said in a statement that he'd just learned of the incident, that Uber intended to do better, and that two executives responsible for handling the security incident are no longer with the company. Bloomberg reports that one of the two is CSO Joe Sullivan, a former US Federal prosecutor who joined Uber in 2015 from Facebook. Uber faces a great deal of scrutiny and litigation: the New York State Attorney General has already announced it's opened an inquiry.
HP plans to patch printer vulnerabilities soon.