The duo has admitted to Judge Lucy Koh that they used Amazon Web Services logins belonging to Uber and Lynda.com employees to access their servers. They also admitted to stealing private customer information and then contacting the companies to extort them for hundreds of thousands of dollars’ worth of bitcoin.
When Mereacre and Glover demanded payment from Lynda.com to delete their stolen records, they included a note that said they’re expecting a big payment and that they already “helped a big corp which paid close to 7 digits.” They were probably talking about Uber, which paid them $100,000 under its bug bounty program and then hunted them down to make them sign non-disclosure agreements. The LinkedIn-owned subsidiary, however, refused to pay, notified their customers about the breach and chose to find a way to identify the hackers instead.
Even though Uber initially chose to keep the incident a secret, it eventually came to light and prompted an FTC investigation. As a result, the ride-hailing giant was slapped with a $148 million fine and had to agree to 20 years of privacy audits — the company also fired chief security officer Joe Sullivan, who arranged the payments and decided not to alert users about the breach. According to The New York Times, the duo could face a max sentence of up to five years in federal prison and could be fined up to $250,000. They will be sentenced in 2020.