March 5, 2015 By Jaikumar Vijayan 2 min read

A recent data breach at Uber shows how popular code-sharing sites such as GitHub and SourceForge can sometimes be a rich source of information for those looking to break into enterprise networks.

Illegal Access

On Feb. 27, Uber disclosed that someone had illegally accessed an internal database containing names and driver’s license information belonging to 50,000 drivers. The company said the intrusion happened in May 2014 but was only discovered in September.

Uber did not say how it discovered the intrusion, nor did it offer any explanation for the delay in notifying those affected by the breach, even though state laws require organizations to notify victims as soon as a breach is discovered.

In a prepared statement announcing the data breach, Uber said it changed access protocols for the data as soon as the issue was discovered. The company added that it has not yet received any reports of the compromised data being misused.

John Doe Lawsuit

Uber filed a John Doe lawsuit in the U.S. District Court for the Northern District of California against those responsible for the data theft. The lawsuit seeks a court order barring the unnamed defendants from accessing Uber’s files again or transmitting them anywhere. In court papers filed in connection with the case, Uber described the database from which the data was stolen as closely guarded.

“Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees,” the company said in the lawsuit. “No one outside of Uber is authorized to access the files.”

However, on May 12, 2014, someone with an IP address that did not belong to Uber or any of its employees used the unique security key to access the database and download its contents, according to court documents.

Security Key Stored on GitHub

Whoever accessed Uber’s database appears to have obtained the security key from a public page on GitHub. A subpoena has been served to GitHub to try to force it to disclose the IP addresses or subscriber IDs of all individuals who may have viewed, accessed or modified content on the GitHub Web page on which the security key was stored.

Uber wants GitHub to provide it with all records or metadata pertaining to the browsers and devices that were used to view or access the page. The data being sought includes logged HTTP headers, cookies and device ID information.

Services like GitHub and SourceForge are popular because they give software developers a place to collaborate on projects, make and store changes and maintain a complete revision history of all modifications made to code over the life of a project.

Potential Downsides

One of the downsides for companies is that developers who use these services are not always careful about what they upload and store online. It is not unusual to find files containing private security keys, login credentials, security tokens, configurations and other data stored online along with the source code. Attackers with access to such information can leverage it to gain access to enterprise systems and data. Often, all it takes to unearth sensitive information is a simple search on GitHub.

Since Uber has not disclosed any details on the breach, it is unclear which data exactly was stored online on the GitHub page, which is the subject of the Uber subpoena. However, court documents suggest the individual who accessed the ride share company’s database used a security key stored on the website.

More from

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today