http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/
By Dan Goodin
Ars Techica
March 2, 2015
Uber is trying to force GitHub to disclose the IP address of every person
that accessed a webpage connected to a database intrusion that exposed
sensitive personal data for 50,000 drivers. The court action revealed that
a security key unlocking the database was stored on a publicly accessible
place, the online equivalent of stashing a house key under a doormat.
Uber officials have yet to say precisely what information was contained in
the two now-unavailable GitHub gists. But in a lawsuit filed Friday
against the unknown John Doe intruders, Uber lawyers said the URLs
contained a security key that allowed unauthorized access to the names and
driver's license numbers of about 50,000 Uber drivers. The ride-sharing
service disclosed the breach on Friday, more than two months after it was
discovered.
"The contents of these internal database files are closely guarded by
Uber," the complaint stated. "Accessing them from Uber’s protected
computers requires a unique security key that is not intended to be
available to anyone other than certain Uber employees, and no one outside
of Uber is authorized to access the files. On or around May 12, 2014, from
an IP address not associated with an Uber employee and otherwise unknown
to Uber, John Doe I used the unique security key to download Uber database
files containing confidential and proprietary information from Uber’s
protected computers."
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
