Two men pleaded guilty in US federal court on Wednesday to hacking and extorting companies including Uber and LinkedIn, according to the US Department of Justice. The hackers demanded money from companies in exchange for agreeing to delete confidential data they had stolen.
Brandon Charles Glover and Vasile Mereacre admitted they took part in a conspiracy to access confidential corporate databases on Amazon Web Services using stolen credentials, according to a Justice Department press release. After downloading the information, Glover and Mereacre told companies they found vulnerabilities in employees’ use of the systems. They then demanded the companies give them money in exchange for their deleting the data, the Justice Department said.
The men used an alias and an encrypted email account to reach out to companies and tell them their data was vulnerable, the DOJ said. They also shared a sample of the stolen data to show their systems had been breached before demanding money in return for deleting the data.
“We’re dealing with the most sophisticated cyber actors in the world,” FBI Special Agent in Charge John F. Bennett said in a statement. “In order to take on those people on the front lines of the cybersecurity battle, we rely heavily on our valued relationships and open dialogue with private sector companies in cyber industries. Their willingness to speedily report intrusions to our investigators allows us to find and arrest those who commit data breaches.”
Glover and Mereacre said they gave credentials for Uber’s Amazon Web Services account to a “technically proficient hacker” who found archive files with 57 million Uber user records made up of customer and driver data. They men said they illegally downloaded the records and contacted Uber in November 2016 saying they found a major vulnerability in the rideshare company’s computer security systems. According to the defendants’ plea arguments, Uber said it would pay the men $100,000 in bitcoin via a third party if the defendants signed a confidentiality agreement. The company demanded the payment stay confidential and that the men destroy the data.
Following three weeks of negotiating, Uber made the payments in December. In January 2017, Uber told the defendants it had found Glover’s real identity. A representative from the company met with Glover at his home in Florida, where he admitted his role in the plot and signed a confidentiality agreement using his real name. Two days later, an Uber representative met with Mereacre in Toronto, and he, too, admitted his role in the breach and signed a confidentiality agreement.
Similarly, the defendants obtained information on more than 90,000 confidential Lynda.com user accounts, which they had illegally accessed and downloaded from the platform’s Amazon Web Services account. (LinkedIn is Lynda.com’s parent company.) After emailing some of the user account information to LinkedIn’s security team and demanding compensation to delete the data, LinkedIn began searching for the source of the email.
The defendants told LinkedIn representatives: “[p]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to seven digits, all went well.” The men stopped communicating with LinkedIn in January 2017, and the company didn’t end up paying them.
Glover and Mereacre were each charged with one count of conspiracy to commit extortion involving computers. They’ve been released on bond pending sentencing. US District Judge Lucy H. Koh scheduled a status conference on sentencing on March 18, 2020. The men could face up to five years in prison and a $250,000 fine.
“We appreciate the ongoing work by the US Attorney’s office to pursue and bring to justice those responsible for the 2016 breach of Lynda user information,” a LinkedIn representative said in a statement. “We’re glad to see the resolution of this investigation.”