Uber still doesn’t know who hacked it eight months ago, exposing the personal data of 50,000 drivers. But the hunt is increasing tension between rival ride-hailing apps. According to a Reuters report, Uber is closing in on Lyft CTO Chris Lambert as a possible accomplice to its hacker.
Uber’s court papers claim that an unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources said the address was assigned to Lyft’s technology chief, Chris Lambert.
This whole security imbroglio got started because Uber accidentally left its secure database key on a publicly accessible Github page. That’s leaving keys peeping out from under the doormat levels of dumb—no surprise, the data breach didn’t take long.
Uber’s federal lawsuit accuses a John Doe hacker of violating the Computer Fraud and Abuse Act in that data breach. And that John Doxxer is still a beautiful mystery. But Uber also combed through the IP addresses that simply visited its publicly accessible Github page. The Comcast IP address in question is suspected of accessing the security key, not actually doing the hacking.
The suit doesn’t name Lambert, or mention Lyft at all, and because the IP address is redacted, we haven’t been able to independently confirm a connection (neither could Reuters). But the sources insist that Lambert is unambiguously linked to the IP address:
The two sources, however, said Uber researched the address and discovered that it showed up elsewhere in Internet postings associated with Lambert, and that the address was assigned to his name.
Even if the IP address is assigned to Lambert, that doesn’t necessarily mean he broke any laws. Uber left the keys in public, after all. He could’ve just been doing a little friendly opposition research! But it certainly looks suspicious, and Uber will certainly try to link the IP with the key to the IP responsible for the breach.
For its part, Lyft—which began its internal investigation after it received a letter from Uber—is pointing out that Uber’s bad key-keeping has nothing to do with its C-suite executives.
“Uber allowed login credentials for their driver database to be publicly accessible on GitHub for months before and after a data breach in May 2014,” a Lyft spokesperson told Gizmodo. “We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”