The language has led to widespread speculation that the pages at issue were made by an Uber employee or contractor who stored a confidential authorization key on the GitHub service. One or more of the unknown John Doe defendants then found the key some time in 2014 and used it to access the Uber database. Uber officials declined to comment on the record, but the company didn’t challenge the claim. Uber’s release on Friday said: “Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access.”
It’s not the first time people have posted highly confidential data to publicly accessible GitHub pages. In a January 2013 post headlined PSA: Don’t upload your important passwords to GitHub, Ars reported basic searches turned up dozens of passwords and security keys stored on publicly accessible GitHub pages. In some cases, the passwords appeared to secure sensitive information for high-target companies and projects, including the Chromium, a repository that stores the source code for Google’s open source browser.
Uber already has been accused of using its vast database of customer trips to track the comings and goings of journalists and VIP riders. The wording of Uber’s complaint, saying a security key protecting the Uber database was stored on a publicly assessable GitHub page, is a step backwards for Uber as it attempts to reassure the public that the significant amount of information it holds is safe from prying eyes. It could also attract scrutiny from state or federal watchdogs or from private attorneys representing people injured as a result of Uber’s security lapses.