Remember how Uber, in a Friday night post last week, admitted that the names and personal info of 50,000 drivers had been accessed by an unknown party? Well, Ars Technica has an update. A sad update.
According to Ars, Uber seems to have made the most rookie security mistake of them all, which Dan Goodin calls “the online equivalent of stashing a house key under a doormat.” It looks like Uber accidentally stored a secure database key — intended for use only by select employees — on a publicly accessible GitHub page. The access key led to a database where drivers’ names and licence numbers were stored, and was obviously never intended to be public. Once the company realised its database had been breached in May of last year, it changed the key and took the GitHub page offline.
Though Uber hasn’t publicly confirmed what was on GitHub or who was responsible, it’s implying it by subpoenaing GitHub in an effort to get ahold of the IP address of anyone who might have accessed the GitHub page over seven months in 2014 (which GitHub has already refused to do). The Register has the subpoena and the details, and points out that even if GitHub hands over that info, it will be extremely lucky if it leads to anything:
In other words, Uber hopes it will find an online breadcrumb trail from the gist to whoever hacked its systems. Quite why Uber has waited more than five months to subpoena GitHub is unclear, and the taxi-booking biz has refused to explain the delay.
If Uber really did put its security key on a public site that’s an extraordinarily presumptuous move, though it’s really all that Uber can do at this point. I’ve reached out to Uber and will update when I hear back, and we’ll find out soon enough whether GitHub will stick to its guns. Either way, come on, guys.