Uber hackers did not download user credit card numbers, company says

A cybersecurity firm hired to investigate the 2016 Uber hack said there is no evidence that hackers accessed user credit card, bank account or Social Security numbers, Uber said in a letter to U.S. Senators who demanded information on the situation.

Uber disclosed that in some cases, the hackers got location information from the place where people signed up for the ride-sharing service, as well as heavily encoded versions of user passwords.

On Nov. 21, Uber disclosed that names, email addresses and mobile-phone numbers of 57 million drivers and riders had been stolen. In a letter to four Republican senators led by Commerce committee Chairman John Thune of South Dakota, the company says that Mandiant, the security firm, found 32 million of those are outside the U.S. and 25 million are inside. Of the total, 7.7 million are drivers, mostly in the U.S., and hackers got driver's license numbers for 600,000 of them, according to the letter from new Uber CEO Dara Khosrowshahi.

The ride-hailing company also said it has not seen evidence of fraud or misuse of data taken in the breach, which lasted more than a year before being disclosed. Two employees were fired for not disclosing the theft to "appropriate parties," the letter said.

The hackers emailed Uber's U.S. security team anonymously on Nov. 14, 2016 telling them about the breach and demanding a payment. Uber tracked down the breach in private cloud data stored on Amazon's web services and shut down access, which came through a "compromised credential," the letter said.

The security team agreed to pay $100,000 to the hackers for an agreement to delete the data, and later tracked down the hackers' real names. Both signed documents assuring that the stolen data was destroyed, Khosrowshahi wrote. Team members found that the hackers first gained access on Oct. 13, 2016, and there was no further access after Nov. 15, 2016, the letter said.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Uber said last month that it has retained Matt Olsen, the former general counsel of the National Security Agency, to aid in an internal restructuring of its cybersecurity response teams. Uber agreed earlier this year to undergo 20 years of outside audits of its cybersecurity protocols in response to another incident in 2014.

Uber notified the U.S. Attorney's offices in San Francisco and Manhattan, as well as other government agencies, on Nov. 21 of this year, but it's not clear whether any criminal investigation has been started. Neither office confirmed nor denied an investigation.

Uber installed additional protections to stop hackers, including a two-step authentication for one of the services that was hacked, the letter said.

The Associated Press contributed to this report.