March 5, 2015 By Jaikumar Vijayan 2 min read

A recent data breach at Uber shows how popular code-sharing sites such as GitHub and SourceForge can sometimes be a rich source of information for those looking to break into enterprise networks.

Illegal Access

On Feb. 27, Uber disclosed that someone had illegally accessed an internal database containing names and driver’s license information belonging to 50,000 drivers. The company said the intrusion happened in May 2014 but was only discovered in September.

Uber did not say how it discovered the intrusion, nor did it offer any explanation for the delay in notifying those affected by the breach, even though state laws require organizations to notify victims as soon as a breach is discovered.

In a prepared statement announcing the data breach, Uber said it changed access protocols for the data as soon as the issue was discovered. The company added that it has not yet received any reports of the compromised data being misused.

John Doe Lawsuit

Uber filed a John Doe lawsuit in the U.S. District Court for the Northern District of California against those responsible for the data theft. The lawsuit seeks a court order barring the unnamed defendants from accessing Uber’s files again or transmitting them anywhere. In court papers filed in connection with the case, Uber described the database from which the data was stolen as closely guarded.

“Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees,” the company said in the lawsuit. “No one outside of Uber is authorized to access the files.”

However, on May 12, 2014, someone with an IP address that did not belong to Uber or any of its employees used the unique security key to access the database and download its contents, according to court documents.

Security Key Stored on GitHub

Whoever accessed Uber’s database appears to have obtained the security key from a public page on GitHub. A subpoena has been served to GitHub to try to force it to disclose the IP addresses or subscriber IDs of all individuals who may have viewed, accessed or modified content on the GitHub Web page on which the security key was stored.

Uber wants GitHub to provide it with all records or metadata pertaining to the browsers and devices that were used to view or access the page. The data being sought includes logged HTTP headers, cookies and device ID information.

Services like GitHub and SourceForge are popular because they give software developers a place to collaborate on projects, make and store changes and maintain a complete revision history of all modifications made to code over the life of a project.

Potential Downsides

One of the downsides for companies is that developers who use these services are not always careful about what they upload and store online. It is not unusual to find files containing private security keys, login credentials, security tokens, configurations and other data stored online along with the source code. Attackers with access to such information can leverage it to gain access to enterprise systems and data. Often, all it takes to unearth sensitive information is a simple search on GitHub.

Since Uber has not disclosed any details on the breach, it is unclear which data exactly was stored online on the GitHub page, which is the subject of the Uber subpoena. However, court documents suggest the individual who accessed the ride share company’s database used a security key stored on the website.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today