Two hackers behind 2016 Uber data breach have been indicted for another hack

Two hackers who stole millions of users’ data from ride-hailing firm Uber have been indicted on separate hacking charges related to a data breach at online learning portal Lynda, two people familiar with the case have told TechCrunch.

Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, were indicted earlier this month in Florida on federal hacking and extortion charges for stealing data on 55,000 Lynda users’ accounts.

According to the recently unsealed indictment, the FBI was considering extraditing Mereacre from Canada, but federal agents later learned that he was planning to fly to Miami on October 16. Mereacre was arrested by FBI agents once he landed, and made his initial appearance in court — at which the indictment was unsealed.

The indictment accuses the two alleged hackers of obtaining tens of thousands of Lynda user accounts from a company-owned Amazon web server. Prosecutors accused the two of “exerting control over the accounts as a means to obtain money from LinkedIn.” Using a burner Protonmail email account, the two emailed LinkedIn and HackerOne, a bug bounty program used by Lynda, to disclose the breach.

“I was able to access backups upon backups,” one of the defendants wrote in their email. They also claimed to have usernames, passwords, payment data and backend code.

When an unnamed LinkedIn executive emailed back inviting the alleged hackers to its HackerOne bug bounty program, they said to “keep in mind, we expect a big payment as this was hard work for us.”

The two were released on a bond, and on condition that they are not permitted to use the internet. The case is now being heard in a California court.

The accusations are nearly identical to the circumstances around Uber’s breach, just months earlier.

Uber disclosed the breach of 57 million worldwide users — including 4.1 million drivers — almost a year later. The company was accused of covering up the breach, after two former senior Uber executives — since fired — paid the two hackers $100,000 through its bug bounty to destroy the data that they obtained but without notifying customers or regulators.

Little was known about the hackers until Uber’s chief information security officer John Flynn told lawmakers at a Senate Commerce Committee hearing in February that the two hackers were from Florida and Canada.

Uber declined to comment.

The hackers gained access to an Amazon web server, owned by Uber, using credentials that were mistakenly left in a GitHub repository by an Uber engineer. According to an investigation by the Federal Trade Commission, the hackers downloaded more than a dozen files — including a backup file — containing Uber customer data. It’s not known what was said in the disclosure to Uber, but the FTC claimed the hackers were “demanding” a six-figure payout.

The breach was one of several scandals to plague the ridesharing company and the eventual departure of founder Travis Kalanick from the company.

Since the breach, Uber agreed to 20 years of privacy audits in a settlement with the FTC. The company was later ordered to pay $148 million in its breach settlement.

A spokesperson for the Justice Department did not respond to a request for comment, nor did Glover’s public defender Michael Ryan. Mereacre’s attorney, Christopher Lyons, declined to comment. HackerOne did not comment.

LinkedIn spokesperson Mary-Katharine Juric said: “We appreciate the ongoing work by the FBI to pursue those believed responsible for the 2016 breach of Lynda user information. We will continue to engage with law enforcement as this case develops.”

Parts of Glover’s docket appear to have been withheld. Mereacre will appear in court on November 8.