Reply All - #111 Return of the Russian Passenger
Episode Date: December 7, 2017After a secret breaks in the news, Reply All re-examines how Alex Blumberg's Uber account was hacked. This episode is a follow up to #91 The Russian Passenger and #93 Beware All. Further reading: The... Best Password Managers Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So last March, our boss, Alex Bloomberg, came to us with what we thought was a very simple question.
His Uber account had been hacked, and he wanted to know how it happened.
And answering that simple question sent us on a quest that took months.
But finally, we got an answer.
And then, a month ago, a secret was revealed that totally upended our understanding of the story.
So we've decided to reopen it.
Today, we're re-airing the original story and then following it up with more reporting.
If you want to skip straight to the new stuff, it's around 42 minutes.
Okay, here's the show.
From Gimlet, this is a reply all.
I'm Alex Goldman.
And I'm PJ Boat.
This week, we have our boss, Alex Bloomberg, in the studio.
Alex actually just got back from a vacation in the Bahamas.
How was it?
It was great.
So, Alex, you asked us to come into the studio, and I don't have any idea why.
So lay it on us.
I need some super tech support help.
Whoa, you're crossing segments.
I am.
That's right.
What's your super tech support question?
So I was coming home.
So I got home from vacation.
I woke up the next day, and I look at my phone, and I see some Uber notifications.
And this is weird because I haven't called Uber because it was like six in the morning.
and that was weird enough,
but the really weird thing
is that the Uber notifications were in Russian.
Here's a screenshot.
And I actually speak a little Russian.
Oh, right. So what does it say?
This one says,
Vash Uber of Puti,
which means your Uber is en route.
Arthur, 4.9 stars,
will be there in one minute.
You know, then the next one,
Dennis is arriving in a Mercedes-Benzheny,
E-Class license plate, blah, blah, blah, blah, blah.
Arthur is arriving in a Kia Rio.
So it's more than one ride.
It's more than one ride.
Two different people have called Uber's in Russia.
And the notifications are being sent to my phone.
All right.
So I have some questions.
Yes.
Did you check your Uber account to see if these rides appeared in your history, if that's possible?
Okay.
So I checked my bank account.
and in fact my bank account
had been charged
with two rides
$25.
So like what my brain is saying
is somehow
someone in Russia
got the password for your Uber
and it's just like
and hacked my Uber account
right?
It's still being charged
to my bank account.
Yeah.
Right.
This actually,
this seems annoying
but it seems like
you call Uber
you tell them
this happened
they refund the charges
and they change your password.
How naive.
How innocent.
You're like,
Like an innocent, naive little lamb.
Okay, so what happens?
All right.
So then I, like, press the Uber icon on my phone to, like, go in.
And instead of the normal thing that happens when it shows up and it says,
Hi, Alex Bloomberg, blah, blah, blah, where would you like to go?
Whatever, the normal screen, I get this screen.
And it says...
What?
Uber, get moving with Uber, enter your mobile number.
So it's treating you as a new user, basically.
It's treating me as I've just downloaded the app, and they have no record of who I am.
or anything.
Which is weird because you're on your phone.
It's on my phone.
It's the app that was installed on my phone,
but when I open it up, it doesn't recognize me.
So then I'm like, uh-oh.
So then the next step would be to call Uber.
It's impossible to call Uber.
Right.
So we emailed help.uber.com,
and I got a email response from them saying,
like, we are unable to find any account
associated with this email and mobile number.
And then I wrote back and I was like,
that's really weird because that's my phone number.
it's definitely associated with this account.
I have, I just received notifications this morning to this number.
Credit card charges from your company.
I have credit card charges from your company, et cetera, et cetera, et cetera.
And they wrote back the same thing.
And they wrote back, sorry to hear your trouble.
We were unable to find an account associated with an email number.
For security reasons, please email.
And so then I kept on writing, and then they kept on sending the same form email back and forth.
And so then I was like, okay, what do I need to do?
How am I going to get out of this machine loop that I'm in here?
Right?
Like, where they keep sending me the same form letter back over and over again.
And so then I was like, maybe if I, I wrote the word escalate.
And then I started typing some things in all caps.
Wait, you just.
And I started cursing.
Just to, is this going to like get me to a higher level of service?
When you get a robot on the phone sometimes.
Yeah.
It's like you say the right word.
Agent. Agent.
Yeah.
I was doing the email equivalent of agent over and over again.
Were you sending these always individual emails?
Yeah, yeah.
No.
So I have, yeah.
It's like one, two, three, four, four.
five, six, seven, eight, nine, ten, you know, it's like basically 15, 20 emails back and forth between me and Uber.
And it's all getting the same.
And it's all getting the same thing.
So, by this time I'd roped my wife, Nazny, and helping away with this.
And we found, and she still, her Uber app was still working.
And so she found inside the app there is a number that you can find.
And it's the number that you are supposed to call if you've been assaulted or endangered.
That's the one number that is an actual human.
being on the other end.
Huh.
So I called that number.
And I said, I haven't been assaulted by a driver.
But I need to talk to a person.
But I need to talk to a person.
Because, and then there was a very, very nice lady who was like, I will try to,
let me try to help you.
Explain her the whole story.
And she was like, okay, give me your phone number.
I gave her the phone number.
And she was like, there's no, I have no memory of this phone number.
Get out of here.
And she was like, hold on.
And then she came back and she was like, there's one more thing I can do.
This is a little unorthodox.
But if you give me your credit card number, I think I can call up your account.
through that. And I was like, okay. And I gave her my credit card number. The credit card number
that had been charged that very morning from Russia. And she was like, I have no record of this credit
card ever existing at Uber. That's so weird. That's bonkers. My entire existence has been
erased. It feels creepy. It's super creepy. And then I was like, is there anybody that can help me?
And she was like, there's nothing I can do. So then I was like, okay. So then I was like, okay. So
Then I started emailing some more.
And what were you getting any variation in response?
And then they stopped.
And then they just stopped even auto responding.
They stopped responding to your emails at all?
Yep.
So I have not heard from them in three days.
Okay.
And here are my questions.
Yeah.
Go for it.
I want to know.
How did this happen?
And then did somehow I do this?
Or is this purely like a data breach at Uber?
Okay, I think that I hope that I can answer that.
I will look into it for you and I will get back to you.
Okay, a week ago, yes, you came to me with a problem.
I did.
And the first thing that I wanted to know was like, is this a freak occurrence or does this happen all the time?
What I was struck by was just how common this Uber hacking turned out to be.
Like, I went on Twitter and found a ton of people who were having similar problems.
I found people who were reporting that there were rides that they'd never taken in places like London and Hong Kong and France and Indonesia.
It's happening all over the world.
Wow.
And what I was curious about is like where these hacked accounts were coming from.
Like how were people getting their hands on them?
And I saw that Joseph Cox, who is a writer for motherboard, and he was on the show the other week.
Helping me hack your phone.
Helping you hack my phone.
Yes.
So I saw that he had written about exactly this problem.
Hello, can you hear me?
Yes, I can hear you well. Joseph?
Yeah, how are you doing, man?
So I called him up in Berlin.
And he told me that a while back he was browsing the dark web.
And if you don't know what that is, that is just a part of the internet that is not easy to get to.
It requires special software to get on.
And a lot of illegal stuff is sold there.
So I was just browsing one of the dark web marketplaces, which I actually spent a lot of time doing.
You will just go through the listings like you're on Amazon.
or eBay or whatever, and you'll come across something pretty interesting, like 70% of the time.
Can you give me an example?
Hasmat suits, AK-47s, you know, all the good stuff, really.
So Joseph was just poking around, not really looking for anything in particular.
And I just came across this vendor who said he was selling Uber accounts.
And I thought, well, that's pretty interesting.
Then we looked into it, and there were a hell of a lot of people selling stolen Uber accounts
in the doc web.
And Joseph told me that they're relatively cheap.
How cheap is cheap?
They're between $4 and $7 each.
So you can buy somebody else's Uber account for $4 to $7.
Right.
And then basically what you're doing is you're buying my password and login.
Your username and password.
The fact that like, oh, there's all these accounts, like to me that suggests that it's not
everybody's fault, that like somebody isn't getting, if somebody shows up and they're like,
I got a thousand Uber accounts.
You want to buy one?
It's not because they guessed a thousand passwords.
It's because, like, Uber made a mistake.
Totally.
And that's what I assumed was the case also.
Except Joseph specifically asked Uber if they'd gotten hacked.
Uber, they totally denied that they had a data breach.
And then as I continued to report and spoke to these hackers who said that how they were accessing accounts,
that kind of backed up what Uber said.
We found no evidence that there was a data breach actually at Uber itself.
And so I decided to go on the dark web and just ask people like, hey, where are you getting these Uber accounts?
And you would be surprised to learn.
I'm sure you'll be shocked.
They're not super stoked to talk to people who want to talk to them about their criminal activities.
Well, they probably just don't listen to podcasts.
But this one guy went by the username Passman.
I sent him a message saying, did all of these Uber accounts come from some huge hack of Uber?
And he told me the same thing that Joseph told me, which was he didn't think that anything like that had happened.
Okay.
And I said, interesting.
Can you do me a favor and see if any of these email addresses are in your cache of hacked Uber accounts?
And you gave him a bunch of Alex's email addresses?
A couple.
Yeah.
Okay.
And his response was, and I quote,
Why are you giving me your boss's email addresses?
Do you want me to take a crack at his other accounts?
That's daring.
I kind of agree with them.
Yeah.
So I went to all the local muggers, and I showed them a picture of you and your wallet.
And they said they didn't recognize you, but it seemed like you have a lot of money.
Oh, my God.
Okay.
Look, whatever, it's done.
I can't take it back.
Regardless, Joseph told me that he had a theory for what might have happened, and it's this thing that hackers do that's called credential stuffing.
That sounds gross.
It does sound pretty gross.
Joseph told me how it works.
So companies' websites are hacked every single day.
Last year, we had LinkedIn, MySpace, VK.com, all of these other breaches of tens, if not hundreds of millions of accounts, with email addresses and passwords being traded amongst hackers.
But if you're a clever hacker, you're not only going to use those details to break into accounts on that one site, you're going to see if they work on something else.
The problem there is that people are using the same password on multiple websites and services.
All they're doing is reusing the password, but they'll have a special piece of software
which can just churn through hundreds, if not thousands, very, very quickly.
The more that me and my colleagues report on these data breaches every other day, every week,
it is password reuse that is the main threat to ordinary users of the internet, for sure.
So at this point, I'm thinking, like, this might have been the thing that happened to you.
Someone got your password from some other account, like your diapers.com account, and it was the same password that you use for Uber.
I mean, who uses a different password for every single online service they've ever?
I mean, yeah, I totally agree.
I don't do it either.
And I am definitely rethinking that now that I've reported this story.
And to that point, Joseph had a piece of advice.
Get a password manager.
which is a piece of software which will generate unique, strong passwords so you don't have to remember them.
But since I know you don't use a password manager, I wanted to know if someone had found your password in some hack that had made its way under the internet.
And luckily, there's a guy who can tell us if that happened.
My name is Troy Hunt.
I am a security researcher and I am recording from my home on the Gold Coast in Australia.
Which Troy makes kind of sound like heaven on earth.
Sunny, it's going to be 30 degrees.
That's Celsius, so nice and warm.
I think I might go out on the water.
It's clear skies.
Troy's an internet security researcher.
So he knows that the more a person uses the internet,
signs up for new services, new websites,
the more vulnerable they become.
You sort of leave these little traces of yourself all over the internet.
And as time goes by, those traces just get larger and larger.
and the chances of one of the places you've left your data being breached and that data then being leaked
continues to go up.
So in 2013, Troy started a website that's called Have I Been Poned.com, P-W-N-E-D.
It's a way for people to find out whether their personal information has ended up on the internet.
So when we see data breaches where a company, like I, LinkedIn, is hacked and their data is ultimately spread across the internet,
internet, I grab these data breaches, I aggregate them into a service, and I make them searchable
so that people can discover where they've been exposed. So what did you find? Well, PJ, why don't
you put your personal email address into this? Oh, boy. This is uncomfortable. Okay. Oh, no.
Wow. I've been poned on how many different sites. Two. That's crazy. Like, these are,
it's Adobe and Tumblr,
both of these are accounts I've had forever.
Oh, that feels horrible.
Your username and password is on the dark web.
That is right now.
A really bad feeling.
That's wild.
Alex Bloomberg, would you like to take a look
and see what's going on here?
Have I been poned?
This is terrifying to type this in.
Good news! No pownage found!
Wow.
All right.
Alex, I don't want to rain on your parade.
But Troy told me that just because the website shows that you haven't been poned,
that doesn't 100% mean that your credentials have never been part of a data breach.
Yeah, there are a heap of unknown unknowns.
You know, there are all these things that happen that we simply never hear about.
There's stuff that has already happened that will come to light later on.
And there's also stuff that will never come to light.
So, for example, in 2016, 360 million MySpace accounts were put up for sale on the dark web, but they had actually been taken in 2013.
So for like three years, someone was sitting on them, maybe using them, and Troy couldn't put him in his database because he didn't know they'd been hacked.
So even though I got the message saying that I have not been poned, I may still be poned.
Yeah, somewhere.
Should we interrupt the super tech support to do a very quick?
Yes, there's no on the origin of Pohn.
Yeah, it's very easy.
You ready?
Yeah.
Most people know it because in video games, when you beat someone very badly, you say that they're owned.
Right.
And the P is right next to the O.
So people frequently misspelled it, and they misspelled it frequently enough that it just became its own word.
Gotcha.
I could have told you that also.
I didn't know that.
So have I been Poned.com?
Right.
So based on talking to Troy and to Joseph,
My working hypothesis has been that, like, your Friendster account got hacked and it made its way into the internet somewhere and it's just never come to late.
But then I got in touch with Uber.
And what they think happened actually might be a lot worse than that.
What?
What did they tell you?
So you told me at the beginning of the show that your account just disappeared altogether.
Like Uber did not recognize its existence.
Yes, exactly.
And what they told me was when someone changes their account info, like their email address or their phone number, the support team only has access to the new information.
So the way that they found your hacked account was the screenshots that we sent them of your phone's lock screen, which had driver names and driver's licenses on them.
And from the license plate numbers, they identified the rides that were taken.
And from those rides, they identified your account and got it back for you.
But once they got your account back, they took a look at it.
And they told me that they're pretty sure that not only was your Uber account hacked,
but your Gmail account was hacked.
What we saw on our end was some suspicious logins for Alex's Uber account.
So whoever was trying to log in did have his password,
but we have systems that will detect logins that look suspicious.
That's Melanie Ensign, and she is the person whose job at
to talk about security at Uber.
And Melanie told me that when Uber saw your trips in Moscow, the ones that you didn't actually
take, they sent you an email that said, you have to click on this link to verify that you are
actually now in Moscow.
And so whoever had access to his email account was clicking on those links, verifying
it was him, and then deleting the notification before he saw them.
Oh.
And that's why, since Alex doesn't have any memory of ever seeing the email, why we believe
that somebody had access to his email account first
because somebody was taking action on those emails
and then deleting them.
This is where I'm like, okay, maybe,
but there's one thing that still does not make sense to me.
I have two-step verification,
and the purpose of this is that is to protect against just the thing
that Uber is saying happened to my account.
In theory, even if hackers got my password information
from the dark web, they go to their Russian computers
and their Russian cyber cafe, they log in,
and then they're going to get a message that says,
please enter the code.
And I would be getting a text to my phone saying,
here's your authentication code,
and I'd be like, what in the world is going on here?
And then I would, like, sound the alarms.
So that's what I don't understand.
Like how, because I have two-step verification,
how did somebody manage to do this from a remote computer?
I mean, is the question you're really asking,
just is it relying, basically?
Like, are they saying that they sent suspicious activity emails that they didn't really send and they're trying to cover their asses?
I don't think Uber's lying, but I want to find out, can we determine there's got to be somebody that you could call in to tell me if my account has been hacked or not, my Gmail account.
All right. And is it hacked still? Am I, at this very moment, poned.
All right, I'll try and figure it out.
All right.
Okay, so it's been a couple days, and I just sort of wanted to recap where we're at.
Okay.
At first, I thought that Uber had had some kind of data breach, and your username and password had made it out into the world.
And that does not appear to be the case.
And then I thought that maybe another account of yours got hacked from somewhere else,
and people used that username and password for your Uber, but that also seems unlikely.
And when I went to Uber, Uber told me that your Gmail account had.
had probably been hacked.
And so, like I said, I've been looking into this,
and I don't know what happened to your Gmail.
Okay.
And in the past, when tech support problems have gotten bigger than me,
or at least once, we brought in a ringer.
Okay.
Sort of like a super Alex Goldman.
Yes, we brought in someone who is basically a super version of me.
His name's Dave Maynard.
He is a security researcher.
He lives in Atlanta.
and I have him on the phone.
Howdy?
How are you guys doing?
Good.
Hey, Dave.
So, Alex, I've already briefed Dave on what's going on with you, so you can ask him any
question you want.
So that, my question is, did somebody take over my Gmail account?
And does somebody still have access to my Gmail?
Because that would be scary.
And it doesn't seem possible because I had two-factor authentication.
Let's start with your questions.
First of all, is it possible?
Yes, this happens all the time.
The next step to kind of narrow down this mystery is to take a look at the access logs for your Gmail account and see if there is anything suspicious.
Okay, so where do I find the access logs?
So there is one where you can go to like this, my account.com slash device dash activity.
Slash device.
Yes.
Yes.
slash activity?
Device dash activity, like hyphen.
All right.
Yeah, Mac, and it's got a bunch of NASA, the Bahamas, Windows, the Bahamas.
Wait, Windows the Bahamas.
It shows a Windows machine, which Alex does not have, accessing his account from the Bahamas.
Oh.
Yeah, but no, I did, because my dad had his, yes, no, my dad had his Microsoft tablet.
it. So I tried to log on. That's right. I tried to log on to a Google Docs thing. But my account was
compromised three days or four days after I accessed the surface. So it wasn't like it happened right
away. When you're a bad guy in the credential harvesting business, right, you're getting a lot of
information in at once. You've got to classify it. Right. Got it. And then you've got to sell it off
to somebody to use. Right. So it's not like it's an instantaneous thing. Got it. And how would they do
that without him noticing?
I mean, malware works in the serious ways.
So it's like, so it's in the background.
Right.
I see.
So it's in the background.
It's running in the background.
It's mimicking an actual legitimate user accessing Gmail, even though it's not showing up on the screen or anything.
Right.
Gotcha.
Yeah.
All right.
Let's call my dad.
Your dad's name is Richard.
Do we call him Mr. Bloomberg?
No, you can call him Richard.
I don't know if I can call him Richard.
You can call him Richard.
I tell you, I'm going to call Mr. Bloomberg.
Okay.
Hello, Dad.
Hello.
Hi, Mr. Bloomberg.
Hey, Mr. Bloomberg.
You guys both went for Mr.
I told them to go Richard.
If you're going to be PJ and Alex, I'm going to be Richard.
So, Alex caught Richard up on everything that had happened so far
and explained that we wanted to check his tablet to see if.
that's how hackers got into Alex's Uber account.
There was one time when I logged into my account that was on a computer that people say could have been compromised.
And that is when I tried to log into my Gmail account from your tablets.
Surface Pro.
Yes.
Well, I will say that sometime in the last few weeks, and it may have been when we were in the Bahamas,
I got an email from Google saying that someone had tried to log into my Gmail
account from a computer in somewhere that I'd ever been.
I can't remember where it was.
and so I deauthorized that.
I said, no, that's not an authorized computer.
And then I went out and I changed my Gmail password immediately.
You know, I haven't used the Surface Pro since we got back from the Bahamas,
but it had gotten so buggy.
It had slowed down so badly that I figured that something was wrong with it.
Do you have any malware detecting software on there?
A lot of Windows devices come with something called Windows Defender.
Yeah, I think there is Windows Defender on that.
Okay.
Is there any way to look at Windows Defender and see if there's anything?
Yeah.
Let me get the Surface Pro and I'll fire that up.
Okay, I've got Windows Defender up.
So I'm going to ask you to do a full scan, if you can do a full scan.
The problem is that a full scan takes a while.
So what's the verdict?
Did it find anything?
Completed on 7,18,8151 items.
No threats were detected on your PC during this scan.
Interesting.
I'm legitimately so angry.
Why?
I'm so frustrated by us.
Why?
Because it's just unanswerable.
It's not unanswerable.
It obviously cannot be answered.
Uber was compromised, and they're blaming it on me and my
dad's, my dad's Surface Pro.
They found innocent, they found scapegoats in the Bloomberg family.
Would Windows Defender have definitely found the spyware?
I mean, this is like the default Windows antivirus program we're talking about.
So it totally could have missed something.
I don't know.
The tablet still just feels like the most likely suspect to me.
This stuff's hard to actually say with any certainty.
You know, it's like trying to figure out.
who got you sick?
Kind of.
I mean, the virus analogy
is actually very apt.
It can make its way
in from a million different places.
But if we were to just back up
some distance and look at this
like big picture,
Uber, a
multi-billion dollar
company employing,
I'm sure,
gazillions of cybersecurity
experts to keep its data safe
or the Bloomberg family.
You are sharp guys, but not very suspicious in general by nature.
So at this point, we thought we had solved the problem.
All right, Dad.
Thank you guys.
Thanks.
Bye.
Alex, I love you.
I love you, too.
We'll see you all later.
Okay.
Bye.
Bye.
Based on all our reporting, our best guess was that Alex Bloomberg's Gmail had been hacked in Bermuda.
But the fact that we couldn't be 100% sure really by the fact.
our senior producer, Fia Benin.
So for the next couple of weeks, she tried to figure out if there was any way to get more clarity.
And about a month later, Fia brought us into the studio to tell us what she'd learned.
Okay, so there was just this one part of the story that was still nagging me, which is, if you remember, Uber said they sent emails to Alex when the, like, weird activity was happening in Moscow.
And Alex said he never saw any of those emails.
Like he never got them.
Yeah, even in his trash can, like nothing, nothing, nothing.
So I wrote Melanie Ensign, that woman who works at Uber.
And I was like, I have to find those emails.
When did you send those emails?
And she wrote me back.
She didn't actually send me the emails that they'd sent to Alex Bloomberg.
She just sent me four times stamps, for the different times the emails should have gone out.
And as she sent that to me, I actually heard from another listener who told me about something that I didn't realize
existed, which is that there's a place in Google support that says restore users permanently deleted
emails.
It's not.
I didn't know that that existed either.
Does it restore them from the beginning of time?
How long do they get like a month?
You get 25 days.
Nice job, May.
And I learned about this when there were like the date when Alex was on vacation was 26 days ago.
No.
Get out of here.
Oh, no, no.
Sorry, 24 days ago.
Ah!
What a roller coaster, man.
Sorry.
Yeah, so I could look back, but I had like this tiny window where I could still look back,
and it's actually you have to, like, submit something to Google, and then they, like, you know, like scrape their system.
I'm literally picturing, like, a hard drive at Google headquarters that, like, a conveyor belt is moving towards an incinerator.
It feels totally like that.
And so, like, we immediately submitted something to them.
They did the scrape.
They said, okay, now everything should be there.
And I started looking at Alex's email with all the restored emails.
And?
Nothing.
Wow.
Get out of here.
No emails from Uber.
Like, this was so frustrating.
So I got on the phone with somebody from Google customer support and was like, you guys have not restored all the emails.
Like, I know for a fact there are these.
four emails from these four different specific times.
I'm not seeing them in here.
You guys are Google.
You have to be able to find them.
And what they say?
And the guy was like, you know, I've never seen this happen before.
This is really strange.
And like I got so frustrated.
And then he told me that there was a whole different way that we could be approaching this
that I didn't actually need to be talking to him at all
because Gimlet's email is through a Google business account
that through the administrator,
I could actually see all the emails coming in
and out of Gimlet Media.
I could see the subject lines,
the like who they were to and who they were from,
and when they came in.
I'm just quickly thinking about every email I've ever sent at work.
I was like, I guess it's Gmail.
It's all private.
Good to know.
Yes.
Okay, so let me quickly pull it up for you.
It's actually called the admin console,
and there's a feature in here called Reports.
Okay.
So you go into reports,
and there's a place for email log search,
and now you can look for, like,
the four specific emails that we know Uber says
that they sent to Alex Bloomberg.
So we'll put Uber in the sender field
and Bloomberg in the recipient field.
Does one of you want to drive this?
Okay.
Okay, so I'm going to hit search.
Mm-hmm.
Searching.
Searching.
Oh, wow.
So there's one, two, three, four, five emails.
So there's many, but they're all just the ones from once Alex was like,
what's going on with my thing.
My account has an unrecognized charge.
I can't send in my account.
I can't send in my account.
My account has an unrecognized charge.
And finally, you get interview requests.
the case of the missing Uber account.
I wrote that subject line.
So this is really interesting.
Yes.
This is when I changed from feeling like Google,
scrape through your servers, find these emails to...
Uber.
Maybe these emails never were sent.
Oh, my God.
This requires a dramatic sting.
Like a dun, dun, dun.
Duh.
Okay, if done it, what happened?
So, yeah, this would seem to suggest that Uber either thinks they send emails and didn't send them, or in the worst scenario, is not telling the truth.
Yeah.
Did you go back to Uber with this?
Of course I did.
Even I wouldn't ask that question.
So what did they say?
Okay, so yesterday.
You got us?
So I wrote her yesterday, and she wrote me back fairly quickly, and here's what she said.
Hi, Fia. Great news. We figured it out.
Uh-huh.
Alex's password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.
Wow.
Okay. I am still super confused.
Well, I have a specific...
Data dump.
Who's data dump?
Like, she said data dump on a botnet.
Like, are they saying, oh, things were actually breached?
So she followed up with a second email.
And she said...
Let me see.
By the way, we found his account in data dumps
from LinkedIn Dropbox at MySpace,
which isn't surprising since they announced
previous data breaches.
If he hasn't changed those passwords recently, he should.
But we checked that.
Right.
What did Uber say?
Well, a couple hours ago, I came back into the studio with Alex Bloomberg, who has a terrible head cold, and we called Uber.
Hi, this is Melanie.
Hi, Melanie, it's Fia.
Hi, hello.
I'm here with Alex, and I'm recording our call.
Hey, Melanie.
Awesome.
She said she realized that in order to solve this problem, she needed to call on, like, the big guns.
We actually have an elite team within our security organization that deal specifically with account security and compromised account in those types of issues.
So I thought, why don't I go spend some time with them and let's actually do a legitimate forensic investigation and figure out what's happened.
Okay.
What happened?
It turned out that the initial email address that was actually associated with your account was your former email address.
from This American Life.
Oh.
So this is like his old work email address.
Right.
So the notification saying your email address has been changed,
your phone number has been changed,
your password has been changed,
we're all going to that address.
To the ThisLife.org address,
which is no longer even active,
which is a dead email address.
So those notifications are essentially going into the void.
Can I also just say this out loud
so I make sure that I understand it?
Yeah.
Okay.
Basically, all that happened was Alex Bloomberg forgot that years ago when he signed up for Uber, he used an old work email address.
He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.
And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides.
And then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address.
So he never saw it.
And also the hackers might have had access to that.
that anyway.
Yeah, and finding that out, it was like everything all of a sudden started to click.
Like, remember how he didn't have his ride receipts?
Yeah.
I remember when we were talking about this like off mic, there was a point where he was like,
he was like, yeah, yeah, I don't get ride receipts.
Right, everybody was.
And we were like, but everybody, everybody gets ride receipts.
But he was, they were just going to his old email account.
Right.
Also, when we searched Have I Been Poned, we searched Alex at Gimlet Media.
We didn't search his old email address.
Right.
And if you do search that old email address, it has three breaches to it.
It's been poned three times.
Are they linked in MySpace and Dropbox?
Yes.
So there you go.
Wow.
So we were not just wrong, but we were like double extra super wrong.
Well, I think like we were inventing something very complicated because with the data we had, that was the most likely outcome.
Or like the most likely how it happened.
How did Alex react all this?
Alex is so thrilled to actually have an answer to like to know exactly.
exactly what happened to his account.
You feel like case closed?
I do. I feel like case closed.
Yeah. Wow.
Took us a long time.
All it took was like dozens of engineers at Google,
dozens of engineers at Uber,
the entire staff of reply all.
Actually, like all of our listeners.
A bunch of listeners to reply all a handful of staff members
at Gimlet and my father.
Yeah.
Yeah.
Man.
So on the one hand, it's great.
On the other hand, it's like,
what if you don't have that at your disposal?
Like, what are you supposed to do?
You have to live with a lot more mystery in your life, I guess.
And get a password manager.
Seriously.
Yeah.
Boy, is there a lesson to this, isn't there?
There really is.
Yeah.
And I don't have one either.
We're both the worst.
Okay.
Wait, should we just get one right now?
A password manager?
I'm sitting in front of my computer.
Oh my God, I don't want to.
I don't either.
Coming up after the break, the revelation that sent us back to this story.
So everything you've heard up,
until now, was part of our original reporting this past spring. And then, just a couple
weeks ago, we started getting an avalanche of messages from listeners that were all saying
the same thing. Have you seen the news? News had just broken that hackers had stolen tons of
Uber user data. 57 million users were affected, and the company hadn't told anyone. They'd covered
it up for a year. We wanted to know, had they actually lied to us? Was Alex Bloomberg not responsible
for his account being stolen.
So I brought Alex and PJ back into the studio.
Hey, Alex Bloomberg.
Yes.
We need to talk.
Okay.
We do.
Go ahead.
This is a conversation where I'm going to feel sad and old and stupid at the end?
Or is this a conversation where I'm going to feel vindicated in my belief that a major large corporation was lying to me?
Well, as soon as I heard the news, I reached out to Uber.
I contacted Melanie Ensign, who we talked to for the first.
story. Right. And she wrote back to me and said, quote, at the moment, our teams are going through
the necessary disclosure process and investigations with regulators. So I'm not able to provide an
interview until that requirement is complete. Okay. But Alex Bloomberg, I do have an answer for you
because I talked to a bunch of other people, people at Uber who didn't want to be named, security
experts, journalists, and I was able to put together a pretty clear picture of how this whole thing actually went down.
Okay.
And here is the story I learned.
In the fall of 2016, Uber gets an email, which basically says, I have a bunch of your information.
Give me $100,000.
$100,000.
It's like when Dr. Evil at Austin Powers doesn't ask for enough money.
One million.
Oh, boy.
I'm embarrassed for actually having done the...
It's like so weird.
I know it's so bizarre that that's my first thing to go to it,
but I'm like literally that my first thought was like,
hacker, ask for more money.
It's Uber.
They probably spent that on their holiday party decorations.
Yeah.
Anyway.
What a weird.
You're probably right.
Yeah.
So in Uber statement, they said that there were two hackers involved in this hack.
Mm-hmm.
What happened was there was a guy who was really interested in trying to get access to the GitHub accounts of Uber employees.
You know what GitHub is?
It's a programming thing.
It's like where you go to, it's sort of like I'm working on a project and I want to collaborate with strangers.
So that's where we'll collaborate.
Right.
You can have public ones and private ones.
And so he hired like a mercenary second hacker to help him break into one of these accounts.
Oh, okay.
That is the extent of that second person's involvement.
So he put together like a team basically.
He was like, I need a GitHub hack man or whatever.
It was like oceans too.
Yeah.
It's like oceans too.
That's exactly right.
Okay.
The hacker gets on this GitHub account, looks through some of the code on there, and finds the login information for a server.
He hops on that server, and that's where the hacker finds all the data of these Uber accounts.
Wow.
And this has actually happened to Uber before.
In 2014, another hacker broke in again using GitHub, although that time it was driver data, and the company actually disclosed it.
Anyway, so Uber finds itself in this situation where there's someone out there with a bunch of their data who's asking for $100,000.
Right.
So, I mean, Uber could send the police after this guy, but there's a good chance that news of the breach is going to get out if they do that.
Now, we can't say exactly why Uber did what they did next, but it definitely solved that problem.
They decide to go with this loophole that lets everyone in the situation get what they want.
They say to this hacker, hey, we have this program where we work.
with hackers legally.
It's called a bug bounty program.
And what a bug bounty program is...
It's like if you find a hole in our fence, basically,
and you tell us about it, we'll pay you.
Rather than breaking and stealing our stuff,
if you want to look for security flaws,
there's a bounty on it.
Right.
And so they say to this person,
rather than holding this stuff for ransom,
enter into our bug bounty program,
and we will give you a reward.
Which is not...
That is the falsest distinction in the world.
It's like, I'm not paying a kidnapper's ransom,
But if we call it babysitting that I didn't ask for, then I can pay you it and it's fine.
Like, it's a very window dressing distinction.
Okay.
So, all right, so they say they have him enter the bug bounty slash ransom program.
Their bug bounty slash legal ransom program.
Right.
Uber actually works with this third party company that's called Hacker One.
And I spoke to the co-founder, this guy named Alex Rice.
And he showed me the Uber bugger.
bounty page. And
the first thing I noticed right away
is that they have like an average
bug bounty reward.
And it is, well,
why don't I just show you guys? Okay.
So.
Thank God we finally get to see the average bug
bounty room for. Okay.
So they're bounty statistics.
Okay.
Average bug bounty range is
between $500 and $540.
And the top bug bounty range
is like $10,000.
Okay.
So $100,000.
$100, not a typical bug bounty, something that looks a little bit more like if you had to put an adjective on it, ransomy.
I confirmed that $100,000 is the most that Uber has ever paid for a bounty.
The second thing that I learned is that in order to get a payment from Hacker 1, the hacker can't just be an anonymous nobody on the internet.
They have to fill out tax forms.
They have to fill out IRS questionnaires.
They have to give a ton of identifying information to this company.
And then does Hacker 1 hold onto that or does Uber get to find out about it?
Uber gets it.
So who was it?
I was told that it was a guy who was relatively young.
He was in his early 20s.
He was not like an IT, like computer professional.
He was just some kid.
So it wasn't like a super hacker.
Right.
So Uber makes this guy sign this thing saying that if the information makes it out of the world, he is on the hook.
They will turn him over to the authorities.
And he entered into an agreement with Uber.
where he allowed Uber onto his computer to run some forensic accounting to make sure all of
the data was gone.
And they know that they're safe also because of the one computer, one person law that was
passed last year.
Exactly.
Every person is only allowed to own one computer.
Exactly.
And never use another one.
Yes.
Which would be great in a world without cloud computing or hard drives or other computers
or anything.
Yeah.
I talked to people in computer forensics and they told me it was impossible to know beyond a shadow
of a doubt whether this hacker copied this information elsewhere or not.
But apparently Uber was satisfied with the investigation.
And as a last step, they went through all the accounts that were affected by the breach and flagged them.
So on their...
What does it mean that they flag the accounts?
What it means is they have internally a record of all the accounts that were in this breach.
So if any of those get hacked, they can look at it and say, oh, there's a pattern of these accounts getting hacked.
This information might have gotten out.
I see.
So it's kind of a way to make sure that the...
hacker who they paid off to not tell people about the hack that they did is keeping up their end of this
completely absurd bargain.
That's correct.
Alex Bloomberg.
Yes.
This brings us back to your case.
A source at Uber told me that your account did not have a flag on it, which would mean
that your account info was not stolen by this hacker.
And that means that it's still your fault.
son of a bitch
are you serious
I am serious
as far as we know
your This American Life account was compromised
on some other website
and that is how the Russian passenger
ended up with your Uber account
okay but just like I understand
Uber is not responsible
for Alex's problem Alex is responsible for Alex's problem
but like putting that aside
they lied to us.
Like, I don't understand why knowing what we know now,
we should trust them as a company, like, whatever they say.
Well, I mean, okay, first of all,
just to be very clear, in the first part of the episode,
Joseph Cox says that he specifically asked Uber if they've had a breach.
Yes, and they said no.
So just to give more context,
he asked them that question in 2015 before this hack took place.
Okay.
To your larger,
question about whether they lied to us. I feel like it's a lie of omission. Like it doesn't feel
good. It doesn't make me feel like, oh, okay, well, they're on the up and up. But I don't think
that it was an explicit lie where they said, we did not experience a breach when in fact they did.
Like, you feel like they didn't lie in like a legalistic sense of it. Right. But you feel like
they were dishonest. That's correct. But if you were to ask Uber, they'd say, look, we voluntarily
disclose this hack. Yeah. And that was the decision of their new CEO who, in addition to voluntarily
disclosing this hack, fired the chief security officer and a top lawyer and has very publicly said,
like, we are Uber 2.0 and we are changing as a company. Travis Kalanick, who is the previous
CEO, has resigned. Right. On the other hand, Travis Kalanick is still on the board of directors at
Uber. And Uber 2.0 hasn't been exactly forthcoming about the way that they've handled this hack.
Like, they haven't sent emails to the affected user saying, like, hey, maybe you might want to
change your password. Which is like, which is really frustrating because it's like they're still
just saying like, we're holding the cards. You don't have a choice. Like, you don't even get to
know. I don't know. I just, ugh, I hate it. I just hate the impunity of it so much. Like, basically I want
them to say that we're entitled to an explanation of why they did this in the first place.
I want them to say, like, really, really, like, this is the calculation we made.
Like, this is how we sat down, as cynical as it was or not.
Like, this was the argument against it.
This was the argument for it.
It was a mistake to not tell the truth.
And we did it because of this.
And we wouldn't do it now because of that.
And categorically, there's not another thing like this that's sitting there waiting
to be discovered.
And if it is, we'll set all the cars on fire and go home.
It seems like it would be really mean to set the cars of your contractors on fire.
I just want accountability.
I don't know why you're so upset.
I should be the one who's upset because I...
You came in here, you came in here feeling like you were carrying the righteous sort of truth.
I was like, I thought vindication finally was mine.
And you still got owned.
I still got owned.
Reply All is hosted by PJ Vote and me, Alex Goldman.
Our show is produced by Shruti Penaminani, Thea Benin, and Damiano Marquetti.
We're edited by Tim Howard.
Additional production help from Krista Ripple.
Our intern is Anna Foley.
We were mixed by Rick Kwan.
Happy birthday, Rick.
Our theme music is by the mysterious brakemaster cylinder,
and our ad music is by Build Buildings.
Fact-checking by Michelle Harris.
Special thanks this week to Claire Tibbs,
Daniel Botianu, Mike Isaac, and Greg Ben Singer.
Matt Lieber is a room that is at the perfect temperature.
You can visit our website at replyall.com.
And you can find more episodes of the show on iTunes, Spotify, or wherever you listen to podcasts.
We'll have a link to an article about the best password managers on our website,
replyall.com.
Also, there's a survey at replyall.com that we're asking people to fill out right now.
Filling out the survey helps us find advertisers for the show.
So if you have the notion, go ahead and fill it out.
Thanks for listening. We'll see you next week.
Is the piano all fixed?
Oh, nice job.
Play us something lively.
We're just falling.
That's this kinda peaceful actually.
Do you smell rotten meat?
Good God, look above you, it's Steve Bannon in a sexy Santa outfit writing an interdimensional
kaleidoscope dragon made of used syringes and glass siloophones.
It's the queen.
Her eyes are full of fire and hate.
Fuck you!
Is the piano all fixed?
Oh, nice job.
Let's put the mystery box back in there.
It's giving me weird dreams.
Play us something lively.
Wait.
Don't.