Whoever hacked Uber's driver database wasn't our CTO, says rival Lyft

Exec's IP address used to eyeball leaked security key, but not the addy used to snatch info


Uber's sleuthing to find out who hacked its database of drivers has turned up an interesting snippet regarding its chief competitor, Lyft.

In May last year, a mystery miscreant snatched a leaked copy of an access key to one of Uber's databases, and used it to download records of 50,000 Uber drivers. How the key made its way onto GitHub for all to see is not clear – it may have been accidentally pushed to a public repository of source code. It stayed public for months.

The taxi-booking app maker didn't notice its database had been slurped until September that year, and subpoenaed GitHub to find out the IP addresses of everyone and anyone who saw the leaked database key on its website.

Two anonymous sources alleged to Reuters on Thursday this week one of the IP addresses that viewed the leaked key has been traced back to a Comcast broadband account belonging to Chris Lambert, CTO of Uber's chief rival Lyft.

But the IP address used to download the records from the driver database does not match Lambert's personal IP address. Instead, the data slurp was carried out by someone using a VPN service based in Scandinavia; the IP address used in the actual hack still remains a mystery.

Lyft denies any wrongdoing by its employees.

"Uber allowed login credentials for their driver database to be publicly accessible on GitHub for months before and after a data breach in May 2014," Lyft told The Register in a statement on Thursday.

"We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber's May 2014 data breach."

The timing of the Reuters report is very interesting. The news broke a few hours before Lyft announced major partnerships with Shell (giving a fuel discount to its drivers) and Hertz, so that people renting cars can also be Lyft drivers.

Who could have leaked today's claims? Surely not someone within Uber, the whiter-than-white Bay Area upstart that once flashed people's whereabouts live on screen at a party, has revealed statistics on its users' one-night stands, and employs a veep who suggested hiring a private dick to dig up dirt on journalists. ®


Biting the hand that feeds IT © 1998–2021