United States v. Glover: Lynda Hacking Indictments Hit Pair Behind Massive Uber Breach

Indictment, United States v. Brandon Charles Glover and Vasile Mereacre, No. 5:18-cr-00348-LHK (N.D. Cal. Aug. 2, 2018) https://www.documentcloud.org/documents/5021170-Lynda-indictment.html

The two hackers behind Uber’s large 2016 data breach face felony charges for a separate hack compromising the data of 90,000 Lynda.com users, according to a recently unsealed indictment.

Brandon Glover and Vasile Mereacre were indicted in the Northern District of California with two counts under the Computer Fraud and Abuse Act for the Lynda breach, which also occurred during 2016. The charges involve attempted extortion in return for not releasing stolen Lynda.com customer data (18 U.S.C. §§ 1030(a)(7)(B) and (c)(3)(A)), and conspiracy to carry out the same extortion (18 U.S.C. § 1030(b)).

The breach affected users from learning site Lynda.com, which by 2016 had been acquired by LinkedIn, itself a subsidiary of Microsoft. The platform is now known as LinkedIn Learning.

Glover and Mereacre contacted the security team at LinkedIn on December 11, 2016 under a false name via an email account "johndoughs@protonmail.com.” They notified the team about a “security flaw compromising databases of Lynda.com along with credit card payments and much more.”

After engaging a LinkedIn executive, Glover and Mereacre claimed they were able to access “backups upon backups” and possessed passwords, usernames, email addresses, credit card information, and backend code from the site. They insisted on “a huge reward for this.”

The executive referred the two to LinkedIn’s bug bounty program, managed by HackerOne. The pair sent a sample of the data, which had been obtained from the company’s Amazon Web Services account, so its authenticity could be verified.

After the hack came to public light in 2016, a LinkedIn spokesperson told VentureBeat the passwords were “cryptographically salted and hashed” and that credit card information was not compromised, although LinkedIn reset the affected users’ passwords and emailed 9.5 million other users whose information wasn’t in the affected database to inform them of the breach. The breach was originally reported to have affected 55,000 users before the unsealed indictment revealed that over 90,000 accounts had been affected.

It is not clear from the indictment whether the hackers successfully obtained payment from LinkedIn, but the documents do include that “victim-corporations communicated with the defendants about payment in exchange for the deletion of the data.”

In the contemporaneous Uber breach, Glover and Mereacre received a payment of $100,000 in return for deletion of the data and silence about the breach. TechCrunch originally reported the link between the hackers in the Lynda and Uber breaches.

Uber controversially did not reveal its 2016 breach for more than a year after it occurred. Hackers accessed data pertaining to 57 million Uber users and drivers, including phone numbers and driver’s license numbers. Uber’s Chief Information Security Officer later acknowledged in testimony to the U.S. Senate Committee on Commerce, Science, and Technology that the six-figure payment to the hackers was inconsistent with its bug bounty program.

Following revelations of the breach, Uber agreed to pay $148 million to settle legal inquiries surrounding the 2016 breach from the attorneys general from all 50 states and the District of Columbia, forced out the chief security officer who arranged the payment, and consented to an expanded data privacy settlement with the Federal Trade Commission.

Mereacre is reportedly set to appear in court regarding the Lynda charges on November 8.