Uber and LinkedIn attackers plead guilty to hacking and extortion

The hackers who infiltrated Uber's and LinkedIn-owned Lynda.com's Amazon web servers have pleaded guilty in California federal court to charges of computer hacking and extortion conspiracy. Canadian national Vasile Mereacre and Florida resident Brandon Glover were indicted in 2018 for stealing information from LinkedIn training site Lynda.com in a breach that affected 55,000 accounts. It was later revealed that they were also behind a 2016 Uber breach that compromised 57 million users.

The duo has admitted to Judge Lucy Koh that they used Amazon Web Services logins belonging to Uber and Lynda.com employees to access their servers. They also admitted to stealing private customer information and then contacting the companies to extort them for hundreds of thousands of dollars' worth of bitcoin.

When Mereacre and Glover demanded payment from Lynda.com to delete their stolen records, they included a note that said they're expecting a big payment and that they already "helped a big corp which paid close to 7 digits." They were probably talking about Uber, which paid them $100,000 under its bug bounty program and then hunted them down to make them sign non-disclosure agreements. The LinkedIn-owned subsidiary, however, refused to pay, notified their customers about the breach and chose to find a way to identify the hackers instead.

Even though Uber initially chose to keep the incident a secret, it eventually came to light and prompted an FTC investigation. As a result, the ride-hailing giant was slapped with a $148 million fine and had to agree to 20 years of privacy audits -- the company also fired chief security officer Joe Sullivan, who arranged the payments and decided not to alert users about the breach. According to The New York Times, the duo could face a max sentence of up to five years in federal prison and could be fined up to $250,000. They will be sentenced in 2020.