Pierluigi Paganini October 09, 2015

The findings of the investigation conducted by Uber on the recent security breach raise doubts on the alleged involvement of a competitor, the Lyft.

The findings of the investigation conducted by Uber on the recent security breach that exposed details of its drivers, seems to confirm the involvement of a competitor, the Lyft.

On May 2014, someone got a copy of an access key to one of Uber’s databases containing 50000 Uber drivers’ records, and somehow all end up in GitHub, though it’s not clear how.

Ubers only realized that they have been stolen in September of the same year, and asked GitHub for their help, to try to find the IP addresses of everyone who say the leaked database key on GitHub.

Two anonymous sources revealed to the Reuters that the IP addresses that viewed the leaked key has been traced back to a Comcast broadband account belonging to Chris Lambert, CTO of at Lyft.

“After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that “the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated” from suspicion, court papers say.” states the Reuters. “The numeric Comcast IP address and some other details have been redacted from court filings, so Reuters was unable to independently assess whether there was a connection between Lambert and the Comcast IP address”

But the IP address used to download the information contained in the Uber database does not match Lambert’s personal IP address. The Uber data was carried out by someone using a VPN service based in Scandinavia and the IP address used in the actual hack is still unknown.

The two sources confirmed that Uber researched the address and discovered that it showed up elsewhere in Internet postings associated with Lambert.

“The two sources, however, said Uber researched the address and discovered that it showed up elsewhere in Internet postings associated with Lambert, and that the address was assigned to his name.” continues the Reuters.

Lyft denies any involvement in the attack and stated:

“Uber allowed login credentials for their driver database to be publicly accessible on GitHub for months before and after a data breach in May 2014,” , “We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”

“The timing of the Reuters report is very interesting. The news broke a few hours before Lyft announced major partnerships with Shell (giving a fuel discount to its drivers) and Hertz, so that people renting cars can also be Lyft drivers.” states the Register in blog post, 

It will be interesting to find out more about all this, and see how it will end up.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Boarding Pass,  hacking)