December 7, 2017

#111 Return of the Russian Passenger

by Reply All

Background show artwork for Reply All

After a secret breaks in the news, Reply All re-examines how Alex Blumberg's Uber account was hacked. This episode is a follow up to #91 The Russian Passenger and #93 Beware All.

Further reading:

The Best Password Managers
Subscribe to our weekly newsletter

Transcript


ALEX GOLDMAN: So last March, our boss Alex Blumberg, came to us with what we thought was a very simple question. His Uber account had been hacked, and he wanted to know how it happened. And answering that simple question sent us on a quest that took months, but finally we got an answer.



And then, a month ago, a secret was revealed that totally upended our understanding of the story. So we've decided to reopen it.



Today, we're re-airing the original story, and then following it up with more reporting. If you want to skip straight to the new stuff, it's around 42 minutes.


Ok, here's the show. 


[Theme music] 



ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.



PJ VOGT: And I’m PJ Vogt.



ALEX GOLDMAN: Uh, this week we have our boss, Alex Blumberg, in the studio. Uh Alex actually just got back from a vacation in the Bahamas. Uh. How was it?



ALEX BLUMBERG: It was great.



ALEX GOLDMAN: So…  Alex, you asked us to come into the studio and I don’t have any idea why. So, lay it on us!



ALEX BLUMBERG: I need some super tech support help—



PJ: Whoa! You’re crossing segments.



ALEX BLUMBERG: (laughs) I am. I’m–that’s right.



PJ: What’s your super tech support question?



ALEX BLUMBERG: So I was coming home, so I got home from vacation, I woke up the next day, and I look at my phone, uh, and I see some Uber notifications. And this is weird because I haven’t called Uber ’cause it was like six in the morning. And, that was weird enough. But the really weird thing is that the Uber notifications were in Russian. Here’s a screenshot.



PJ: (whispers) What?



ALEX BLUMBERG: So and I actually speak a little Russian.



PJ: Oh right. So what does it say?



ALEX BLUMBERG: This one says (speaking Russian) which means, your Uber is en route. Ar-Arthur, 4.9 stars, is um, will be there in one minute. Uh, you know, then the next one–Dennis is arriving in a Mercedes Benz E-class–



PJ: Nice!



ALEX BLUMBERG: License plate, blah blah blah blah blah. Arthur is arriving in a Kia Rio. It’s literally–



PJ: Oh! So it’s more than one ride though?



ALEX BLUMBERG: So it’s more than one ride, two–like two different people have called Ubers in Russia (laughs) and the notifications are being sent to my phone.



ALEX GOLDMAN: Alright, so I have some questions.



ALEX BLUMBERG: Yes.



ALEX GOLDMAN: Did you check your Uber account to see if these rides appeared in your history, if that’s possible?



ALEX BLUMBERG: Ok, so, I checked my bank account, and in fact my bank account had been charged with two rides, 25 dollars.



PJ: So, like, what my brain is saying is: “Somehow, someone, in Russia, got the password for your Uber and is just like–”



ALEX BLUMBERG: And hacked my Uber account, right?



PJ: Yeah.



ALEX BLUMBERG: Right, but it’s still being charged to my bank account.



PJ: Yeah.



ALEX BLUMBERG: Right.



PJ: This actually, this seems annoying, but it seems like you call Uber, you tell them this happened, they refund the charges and they change your password.



ALEX BLUMBERG: How naive.



PJ: (laughing)



ALEX BLUMBERG: How innocent. You’re like an innocent, naive little lamb.



PJ: Ok, so what happens?



ALEX BLUMBERG: Alright, so then I like I press the Uber icon on my phone to like, go in, and instead of the normal thing that happens when it shows up and it says, “Hi Alex Blumberg, blah blah blah, where would you like to go?” whatever, the normal screen, I get this screen. . . And it says–



PJ: What? “Uber. Get moving with Uber. Enter your mobile number.” So it’s treating you as a new user, basically–



ALEX BLUMBERG: It’s treating me as the-as if I just downloaded the app and I-they have no record of who I am or anything, and-and–



PJ: Which is weird because you’re on your phone.



ALEX BLUMBERG: It’s on my phone. It’s the app that was installed my phone, but when I open it up, it doesn’t recognize me. So then I’m like, “Uh oh.”



So then the next step would be to call Uber… (pause) It’s impossible to call Uber.



ALEX GOLDMAN: Right.



ALEX BLUMBERG: So we emailed help.Uber.com and I got a [sic] e-mail response from them saying like, “We are unable to find a-any account associated with this email and mobile number.” And then I wrote back and I was like, “That’s really weird, because that’s my phone number, it’s definitely associated with this account, I have–I just received notifications this morning to this number.”



PJ: “Credit card charges from your company.”



ALEX BLUMBERG: “I have credit card charges from your company,” etc. etc. etc. And they wrote back the same thing, and they wrote back, “Sorry to hear your trouble, uh, we’re unable to find an account associated with the email, number. For security reasons, please email–"



And so then I kept on writing. And they kept on sending the same form email back and forth, and so then I was like, ok, what do I need to do? How do I–how am I gonna get out of this machine loop that I’m in here, where they keep sending me the same form letter back–



PJ: Over and over again.



ALEX BLUMBERG: Over and over again. And so then I was like, maybe if I-I wrote the word “escalate.”



PJ: (laughing)



ALEX BLUMBERG: And then I started typing some things in all caps–



ALEX GOLDMAN: Wait you just–you–



ALEX BLUMBERG: And I started cursing, just to, is this going to like get me to a higher level of service?



PJ: Like when you get a robot on the phone sometimes when, it’s like you say the right words.



ALEX BLUMBERG: “Agent! Agent! Agent!” I was doing the email equivalent of ‘agent’ over and over again.



ALEX GOLDMAN: Were you do–were you sending these all as individual emails?



ALEX BLUMBERG: Yeah yeah yeah, no, so I have, yeah. So look–it’s like 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, you know, it’s basically 15-20 emails back and forth between me and Uber.



PJ: And it’s all getting the same…



ALEX BLUMBERG: And it’s all getting the same thing. So, by this time I’d roped my wife Nazanin into helping me with this, and we found, and she-her Uber app was still working. And so she found, inside the app, there’s–there is a number that you can find and it’s the number that you are supposed to call if you’ve been assaulted or endangered. That’s the one number that is an actual human being on the other end.



PJ: Huh.



ALEX BLUMBERG: So I called that number.



ALEX GOLDMAN: And…



ALEX BLUMBERG: And I said, “I haven’t been assaulted by a driver.”



PJ: But I need to talk to a person!



ALEX BLUMBERG: “But I need to talk to a person, because”–and then there was a very, very nice lady who was like, “I will try to, I–lemme try to help you.”



I explained to her the whole story, and she was like “Gimme your phone number,” and I gave her my phone number and she was like “There is no–I have no memory of this phone number.”



ALEX GOLDMAN: Get outta here.



ALEX BLUMBERG: And she was like, “Hold on.” And then she came back and she was like, “There’s one more thing I can do. This is a little unorthodox, but if you give me your credit card number, I think I can call up your account through that.”



And I was like, “Ok.” And I gave her my credit card number, the credit card number that had been charged that very morning from Russia, and she was like, “I have no record of this credit card ever existing at Uber.



PJ: That is so weird.



ALEX GOLDMAN: That’s bonkers.



PJ: It feels–



ALEX BLUMBERG: My entire existence has been erased.



PJ: It feels creepy.



ALEX BLUMBERG: It’s super creepy. And then I was like, “Is there anybody that can help me?” And she was like, “There’s nothing I can do.” So then I was like, “Okay.” (sighs). So then I started emailing some more.



ALEX GOLDMAN: And what–were you getting any variation in response?



ALEX BLUMBERG: No, and then they stopped.



PJ: Did she give you advice about–



ALEX BLUMBERG: And they they just stopped even auto-responding.



PJ: They stopped responding to your emails at all?



ALEX BLUMBERG: Yep. So I have not heard from them in three days.



ALEX GOLDMAN: (clears throat) Ok.



ALEX BLUMBERG: And here are my questions.



PJ: Yeah.



ALEX GOLDMAN: Go for it.



ALEX BLUMBERG: I want to know, how did this happen? And then …Did somehow I–I do this, or was this purely like a data breach at Uber?



ALEX GOLDMAN: Ok! I think that I–I hope that I can answer that. I will look into it for you and I will get back to you.



[MUSIC]



ALEX GOLDMAN: Uh, okay, a week ago–



ALEX BLUMBERG: Yes.



ALEX GOLDMAN: You came to me with a problem.



ALEX BLUMBERG: I did.



ALEX GOLDMAN: And the first thing that I wanted to know was like, is this a freak occurance, or does this happen all the time? What I was struck by was how common this Uber hacking turned out to be. Like, I went on Twitter and found a ton of people who were having similar problems. Like I found people who were reporting that there were rides that they’d never taken in places like London and Hong Kong and France and Indonesia.  Like it’s happening all over the world.



ALEX BLUMBERG: Wow.



ALEX GOLDMAN: And what I was curious about is where these hacked accounts were coming from.



ALEX BLUMBERG: Uh-huh.



ALEX GOLDMAN: Like, how were people getting their hands on them? And I saw that Joseph Cox, who is a writer for Motherboard, and he was on the show (laughing) the other week, um–



PJ: Helping me hack your phone.



ALEX GOLDMAN: Helping you hack my phone.



PJ: Yes.



ALEX GOLDMAN: So, I saw that he had written about exactly this problem.



JOSEPH COX: Hello, can you hear me?
ALEX GOLDMAN: Yes, I can hear you well. Joseph?
JOSEPH: Yeah, how you doing man?



ALEX GOLDMAN: So I called him up in Berlin. And he told me that a while back he was browsing the dark web, and, if you don’t know what that is, that is just a … part of the internet that is not easy to get to, it requires special software to get on, and a lot of illegal stuff is sold there.



JOSEPH: Uh, so I was just browsing one of the Dark Web marketplaces, which uh … I actually spend a lot of time doing. You’ll just go through the listings like you’re on Amazon or Ebay or whatever, and you’ll come across something pretty interesting like 70% of the time.
ALEX GOLDMAN: Can you give me an example?
JOSEPH: Hazmat suits (laughs), AK47s.
ALEX GOLDMAN: (laughs) Oh my god.
JOSEPH: You know, all–all the good stuff, really.



ALEX GOLDMAN: So, Joseph was just poking around, not really looking for anything in particular.



JOSEPH: And I just came across this vendor who said he was selling Uber accounts, uh, and I thought, “Well, that’s pretty interesting.” And then we looked into, and there were a hell of a lot of people selling stolen Uber accounts on the dark web.



ALEX GOLDMAN: And Joseph told me that they’re relatively cheap.



PJ: How cheap is cheap?



ALEX GOLDMAN: They’re between four and seven dollars each.



ALEX BLUMBERG: So you can buy … somebody else’s Uber account.



ALEX GOLDMAN: Mhm.



ALEX BLUMBERG: For four to seven dollars.



ALEX GOLDMAN: Right.



ALEX BLUMBERG: And then, and then, basically what you’re doing is buying my password and login.



ALEX GOLDMAN: Your username and password.



PJ: The fact that like, oh, there’s all these accounts, like to me that suggests that it’s not everybody’s fault, that like, somebody isn’t getting, if somebody shows up and they’re like, “I got 1000 Uber accounts, you want to buy one?” It’s not because they guessed 1000 passwords, it’s because like, Uber made a mistake.



ALEX GOLDMAN: Totally! And that’s what I assumed was the case also. Except Joseph specifically asked Uber if they had gotten hacked.



JOSEPH: Uber, they totally denied that they had a data breach, and then as I continued to report and spoke to these hackers who said that–how they were accessing accounts, that kind of backed up what Uber said. We found no evidence that there was a data breach actually at Uber itself.



ALEX GOLDMAN: And so I decided to go on the dark web and just ask people like, “Hey–where are you getting these Uber accounts?” And, you would be surprised to learn (laughs), I’m sure you’ll be shocked, they’re not super stoked to talk to people who want to talk to them about their criminal activities.



PJ: Well they probably just don’t listen to podcasts.



ALEX GOLDMAN: But, this one guy went by the username “Passman.” Um, I sent him a message saying, “Did all of these Uber accounts come from some huge hack of Uber?”



And he told me the same thing Joseph told me, which was: he didn’t think that anything like that had happened.



ALEX BLUMBERG: Ok.



ALEX GOLDMAN: And I said, “Interesting. Can you do me a favor, and see if, uh, any of these email addresses are in your cache of, um, hacked Uber accounts?”



PJ: And you gave him a bunch of Alex’s email addresses?



ALEX GOLDMAN: A couple. Yeah.



PJ: Ok.



ALEX GOLDMAN: (laughs) And his response was, and I quote, “Why are you giving me your boss’ email addresses? Do you want me to take a crack at his other accounts? That’s daring.”



ALL: (laughter)



PJ: I kind of agree with him.



ALEX BLUMBERG: Yeah.



PJ: “So I went to all the local muggers and I showed them a picture of you–”



ALEX GOLDMAN: (laughs)



PJ: “–And your wallet, and they said they didn’t recognize you but it seemed like you have a lot of money!”



ALEX BLUMBERG: Oh my god. Okay.



ALEX GOLDMAN: Look, whatever, it’s done, I can’t take it back. Um. Regardless, Joseph told me that he had a theory for what might have happened, and it’s this thing that hackers do that's called ‘credential stuffing.’



PJ: That sounds gross.



ALEX GOLDMAN: It does sound pretty gross. Joseph told me how it works:



JOSEPH: So companies’ websites are hacked every single day. Last year we had LinkedIn, Myspace, VK.com. All of these other breaches of tens if not hundreds of millions of accounts. Uh, with email addresses, and passwords being traded amongst hackers. But if you’re a clever hacker, you’re not only going to use those details, to break into accounts on that one site, you’re gonna see if they work on something else. The problem there is that people are using the same password on multiple websites and services.
ALEX GOLDMAN: Ohhhhhh.
JOSEPH: All they’re doing is reusing the password, but they’ll have a special piece of software which can just churn through just hundreds if not thousands, very very quickly. The more that me and my colleagues report on these data breaches every other day, every week, it is password reuse that is the main threat to ordinary users of the internet for sure.



ALEX GOLDMAN: So, at this point I’m thinking like, this might’ve been the thing that happened to you. Uh, someone got your password from some other account, like your diapers.com account, and it was the same password that you use for Uber.



ALEX BLUMBERG: I mean who uses a different password for every single online service they’ve ever–?



ALEX GOLDMAN: Yeah, I–I totally agree. I don’t do it either. And I am definitely rethinking that now that I’ve reported this story. And, to that point, Joseph had a piece of advice.



JOSEPH: Get a password manager, which is a piece of software which will generate unique, strong passwords so you don’t have to remember them.



ALEX GOLDMAN: But, since I know you don’t use a password manager, um, I wanted to know if someone had found your password in some hack that had made its way onto the internet. And luckily there’s a guy who can tell us if that happened.



TROY HUNT: My name is Troy Hunt. I am a security researcher. And I am recording from my home on the Gold Coast in Australia.
ALEX GOLDMAN: Which Troy makes kinda sounds like heaven on earth…
TROY: It’s sunny. It’s gonna be 30 degrees, that’s celsius. Nice and warm. I think I might go out on the water.
ALEX GOLDMAN: Ugh.
TROY: It’s clear skies–



[MUSIC]



ALEX GOLDMAN: Troy’s an internet security researcher. So he knows that the more a person uses the internet, signs up for new services, new websites, the more vulnerable they become.



TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those traces just get larger and larger. Uh, and the chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.



ALEX GOLDMAN: So, in 2013, Troy started a website that's called haveibeenpwned.com. P-W-N-E-D. It’s a way for people to find out whether their personal information has ended up on the internet



TROY: So when we see data breaches where a company, like, say LinkedIn, is hacked and their data is, uh, ultimately spread across the internet, I grab these data breaches, I aggregate them into a service, and I make them searchable so that people can discover where they’ve been exposed.



PJ: So what’d you find?



ALEX GOLDMAN: Well PJ, why don’t you put your email, your–your personal email address into, into this.



PJ: Oh boy that’s, this is uncomfortable. Okay. [typing noise] Oh no.



ALEX GOLDMAN: (laughing)



ALEX BLUMBERG: (laughing)



PJ: Woooooow. I’ve been pwned.



ALEX GOLDMAN: On how many different sites?



PJ: Two! That’s crazy. Like these are… it’s Adobe and tumblr…  both of these are accounts that I’ve had forever. Oh that feels horrible.



ALEX BLUMBERG: Your username and password is on the dark web.



PJ: That is–



ALEX BLUMBERG: Right now.



PJ: A really bad feeling.



ALEX BLUMBERG: That’s wild.



ALEX GOLDMAN: Alex Blumberg, would you like to take a look and see what’s going on here.



ALEX BLUMBERG: Oh god–have I been pwned?



PJ: (laughs)



ALEX BLUMBERG: I’m–this is terrifying to type this in. [typing sound] Good news! No pwnage found!



PJ: Wow!



ALEX BLUMBERG: Alright.



ALEX GOLDMAN: Alex, I don’t want to rain on your parade, but Troy told me that just because the website shows that you haven’t been pwned, that doesn’t 100 percent mean that your credentials were never part of a data breach.



TROY: Yeah, there are a heap of unknown unknowns. (laughs) You know? There are all these things that happen that we simply never hear about. There’s stuff that has already happened that will come to light later on. And there’s also stuff that will never come to light.



ALEX GOLDMAN: So, for example, in 2016, 360 million Myspace accounts were put up for sale on the dark web. But they had actually been taken in 2013. So for like three years someone was sitting on them, maybe using them, and, uh, Troy couldn’t put them in his data base because he didn’t know they’d been hacked.



ALEX BLUMBERG: So even though I got the message saying that I have not been pwned, I may still be pwned–



ALEX GOLDMAN: Yeah.



ALEX BLUMBERG: Somewhere. Should we interrupt this super tech support to do a very quick Yes Yes No on the, on the origin of pwned?



ALEX GOLDMAN: Yeah. It’s very easy. You ready?



ALEX BLUMBERG: Yeah.



ALEX GOLDMAN: Most people know it because in video games, when you beat somebody very badly you say that they’re “owned.”



ALEX BLUMBERG: Right.



ALEX GOLDMAN: And the ‘p’ is right next to the ‘o’ so people frequently misspelled it and then they misspelled it frequently enough that it just became it’s own word.



ALEX BLUMBERG: Gotcha.



PJ: I could have told you that also. [pause] I didn’t know that. (laughs)



ALEX BLUMBERG: (laughs) So haveibeenpwned.com.



ALEX GOLDMAN: Right. So based on talking to Troy and to Joseph, my working hypothesis has been like your Friendster account got hacked and it made it’s way onto the internet somewhere and it’s just never come to light. But, then I got in touch with Uber. And what they think happened, actually might be a lot worse than that.



ALEX BLUMBERG: What?! What did they tell you?



ALEX GOLDMAN: So you told me at the beginning of the show that your account just disappeared all together. Like Uber did not recognize its existence.



ALEX BLUMBERG: Yes, exactly.



ALEX GOLDMAN: And what they told me was, when someone changes their account info, like their email address or their phone number, the support team only has access to the new information. So the way that they found your hacked account was the screenshots that we sent them, of your phone’s lock screen, which had driver names and driver’s licenses on them. And from the license plate numbers, they identified the rides that were taken. And from those rides, they identified your account and got it back for you.



Um but once they got your account back, they took a look at it, and they told me that they’re pretty sure that not only was your Uber account hacked, but your Gmail account was hacked.



MELANIE ENSIGN: What we saw on our end, um, was … some suspicious logins, um, for Alex’s Uber account. So whoever was trying to log in did have his password. Um, but we have systems that will detect, um, logins that look suspicious.



ALEX GOLDMAN: That’s Melanie Ensign, and she is the person whose job it is to talk about security at Uber. And Melanie told me that when Uber saw your trips in Moscow, the ones that you didn’t actually take, they sent you an email that said, “You have to click on this link to verify that you’re actually now in Moscow.”



MELANIE: And so, whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification before he saw them.
ALEX GOLDMAN: Oh!
MELANIE: And that’s why since Alex doesn’t have any memory of … ever seeing the email, why we believe that somebody had access to his email account first, um, because somebody was taking action on those emails and then deleting them.



ALEX BLUMBERG: These is where I’m like, “Okay maybe.” But there’s one thing that still does not make sense to me. I have two-step verification. And the–the purpose of this is that is to protect against just the thing that Uber is saying happened to my account.



In theory, even if hackers got my password information from the dark web, they go to their Russian computers and their Russian cyber cafe, they login, and then they’re gonna get a message that says, "Please enter the code." And so, and I would be getting a text to my phone saying, “Here’s your authentication code,” and I’d be like what in the world is going on here and then I would like sound the alarms. So this–that’s what I don’t understand. Like how, because I have two-step verification, how did somebody manage to do this from a remote computer?



PJ: I mean is the question you’re really asking just, is Uber lying basically? Like are they saying that they sent suspicious activity emails that they didn’t really send and they’re trying to cover their asses?



ALEX BLUMBERG: I don’t think Uber’s lying. But I want to  find out, can we determine, there’s gotta be somebody you can call in to make sure–to tell me if my account has been hacked or not. My Gmail account.



ALEX GOLDMAN: Alright.



PJ: And then, yeah–



ALEX BLUMBERG: And is it hacked still? Am I, at this very moment, pwned?



PJ/ALEX GOLDMAN: (laughing)



[MUSIC]



ALEX GOLDMAN: Alright. I’ll uh try to figure it out.



[BREAK ]



ALEX BLUMBERG: Alright.



ALEX GOLDMAN: (clears throat) Okay so it’s been a couple days. And I just sorta wanted to recap where we’re at.



ALEX BLUMBERG: Ok.



ALEX GOLDMAN: At first I thought that Uber had had some kind of data breach and your username and password had made it out into the world. And that does not appear to be the case. And then, I thought that maybe another account of yours got hacked from somewhere else and people used that username and password for your Uber, but that also seems unlikely.



And when I went to Uber, Uber told me that your Gmail account had probably been hacked. And so, uh, like I said, I’ve been looking into this and I don’t know what happened to your gmail.



PJ: (laughing)



ALEX BLUMBERG: Ok.



ALEX GOLDMAN: And in the past when tech support problems have gotten bigger than me– Or at least once, we brought in a ringer.



PJ: (gasps dramatically)



ALEX BLUMBERG: Ok.



PJ: Sort of like a super Alex Goldman.



ALEX GOLDMAN: He, yes. We brought in someone who is basically a super version of me. His name’s Dave Maynor. He is a security researcher, he lives in Atlanta, and I have him on the phone.



DAVE MAYNOR: Howdy!



ALEX BLUMBERG: Hey–



DAVE: How you guys doing?



ALEX BLUMBERG: Good. Hey Dave.



ALEX GOLDMAN: So Alex, I’ve already briefed Dave on what’s going on with you, so you can ask him any question you want.



ALEX BLUMBERG: So, that, my question is: Did someone take over my Gmail account? Um, and does somebody still have access to my Gmail, ’cause that would be scary. And–



DAVE: Well–



ALEX BLUMBERG: It doesn’t seem possible because I had two-factor auth–authentication.



DAVE: Let’s start with your questions. First of all, is it possible? Yes, this happens all the time.The next step to–to kind of, narrow down this mystery, is to take a look at the access logs for your Gmail account and see if there is anything suspicious.



ALEX BLUMBERG: Ok, so where do I find the access logs?



DAVE: So, there is one where you can go to like this myaccount.google.com/device-activity.



ALEX BLUMBERG: (typing) Slash device, slash activity?



DAVE: Device DASH, uh activity. Like hyphen.



ALEX BLUMBERG: Alright. Yeah. Mac–and it’s got a bunch of Nassau, the Bahamas; Windows, the Bahamas.



PJ: Wait, Windows, the Bahamas?



ALEX GOLDMAN: Uh, it shows a windows machine, which Alex does not have, accessing his account from the Bahamas.



ALEX BLUMBERG: Oh–yeah, but no I did, ’cause, my dad had his, yes, no, my dad had his Microsoft tablet. So I tried to log on–that’s right, I tried to log on to a Google Docs thing. But my account was compromised three days or four days after I accessed the Surface. So it wasn’t like it happened right away.



DAVE: Well, so when you’re, when you’re a bad guy in the credential harvesting business, right, you’re getting a lot of information in at once, you gotta classify it.



ALEX BLUMBERG: Right, got it.



DAVE: And then you’ve got to sell it off to someone to make–uh, to, to use.



ALEX BLUMBERG: Right.



DAVE: So it’s not like it’s an instantaneous thing.



ALEX BLUMBERG: Got it. And how would they do that without him noticing?



DAVE: Well I mean–malware works in mysterious ways.



ALEX BLUMBERG: So it’s like, it’s in the background?



DAVE: Right.



ALEX BLUMBERG: I see. So it’s in the background, it’s running in the background, it’s mimicking … it’s mimicking an actual legitimate user accessing Gmail, accessing Gmail, even though it’s not showing up on the screen or anything.



DAVE: Right.


ALEX BLUMBERG: Yeah. Ok, let's call my dad real fast.


[MUSIC]



[PHONE RINGING]



PJ: Do we call… your dad’s name is Richard … Do we call him Mr. Blumberg?



ALEX BLUMBERG: (laughing) No you can call him Richard.



PJ: I don’t know if I can call him Richard.



ALEX BLUMBERG: (laughing) You can call him Richard.



PJ: I feel like I’m gonna call him Mr. Blumberg.



ALEX BLUMBERG: (laughing) Ok.


Hello Dad?


RICHARD BLUMBERG: Hello!



ALEX GOLDMAN: Hi, Mr. Blumberg.



PJ: Hey, Mr. Blumberg.



ALEX BLUMBERG: (laughs) You guys both went for Mr..



PJ: (laughs)



ALEX BLUMBERG: I, I told told them to go with Richard.



RICHARD: If you’re gonna be PJ and Alex, I’m gonna be Richard.



ALEX GOLDMAN: So Alex caught … Richard up on everything that happened so far and explained that we wanted to check his tablet to see if that’s how the hackers got into Alex’s Uber account.



ALEX BLUMBERG: There was one time when I logged into my account that was on a computer that people say could have been–could have been compromised. And that is when I log–tried to log into my Gmail account from your tablet.



RICHARD: Surface Pro.



ALEX BLUMBERG: Yes.



RICHARD: Yeah. Well I will say that sometime in the last few weeks, and it may have been when we were in the Bahamas, I got an email from, uh, Google saying that someone had tried to log into my–my Gmail account from a computer in … somewhere that I’d never been. I can’t remember where it was.



And, so I deauthorized that, I said, “No that’s not an authorized computer,” and then I went out and I changed my Gmail password immediately. You know, I haven’t used the Surface Pro since we, uh, got back from the Bahamas, but it had gotten so buggy, it’s gotten–it had slowed down so badly that I figured that–



ALEX BLUMBERG: Hmm.



RICHARD: I knew something–something was wrong with it.



ALEX BLUMBERG: Do you have a–did, did you have any malware, uh, detecting software on there?



ALEX GOLDMAN: A lot of Windows, uh, Windows devices come with something called



Windows Defender.



RICHARD: Yeah, I think there is Windows Defender on that.



ALEX GOLDMAN: Ok.



ALEX BLUMBERG: Is there anyway to look at Windows Defender and see if there’s anything…?



RICHARD: Yeah, let me, let me get the Surface Pro and I’ll fire that up. [long pause] Ok. I got Windows Defender up.



ALEX GOLDMAN: So, I’m going to ask you to do a full scan, if you can do a full scan. The problem is that a full scan takes awhile.



[MUSIC]



RICHARD: Ok!



ALEX BLUMBERG: So what’s the verdict? Did it find anything?



RICHARD: “Scan completed on 718,851 items. No threats were detected on your PC during this scan.”



PJ: Interesting.



ALEX GOLDMAN: Hmmmm.



ALEX BLUMBERG: (laughs)



ALEX GOLDMAN: I’m legitimately so angry.



PJ: Why?



ALEX GOLDMAN: Like, I’m so frustrated by this.



PJ: Why?



ALEX GOLDMAN: Cause it’s just unanswerable.



ALEX BLUMBERG: (laughs)



PJ: It’s not unanswerable.



ALEX GOLDMAN: It’s obviously cannot be answered.



ALEX BLUMBERG: Uber was compromised. And they’re blaming it on me and my dad’s–my dad’s Surface Pro.



PJ: They found innocent, they found scapegoats in the Blumberg family.



ALEX BLUMBERG: (laughs)



RICHARD: (laughs)



ALEX BLUMBERG: Would Windows Defender definitely have found the spyware?



PJ: I mean–this is like, the default Windows antivirus program we’re talking about, so it totally could’ve missed something. I don’t know. The tablet still just feels like the most likely suspect to me. This stuff’s hard to actually say with any certainty. You know? It’s like trying to figure out who got you sick.



ALEX GOLDMAN: Kind of. I mean the virus analogy is actually very apt. It can make its way in from a million different places.



ALEX BLUMBERG: But if we were- if we–if we were just to backup some distance and look at this big picture: Uber, a multi-billion dollar company, employing I’m sure gazillions of cybersecurity experts to keep its data safe or the Blumberg family (laughs).



PJ: (laughs) Who are–


[MUSIC]


ALEX BLUMBERG: Yeah.



PJ: –sharp guys.



ALEX BLUMBERG: (laughs) But not very suspicious in general by nature.



PJ: (laughs)



ALEX GOLDMAN: So at this point, we thought had solved the problem.



ALEX BLUMBERG: Alright Dad.



RICHARD BLUMBERG: Thank you guys.



ALEX GOLDMAN: Thanks.



RICHARD: Alex, I love you. I'll see you all later.



ALEX BLUMBERG: Love you too.



ALEX GOLDMAN: Based on all our reporting, our best guess was that Alex Blumberg’s Gmail had been hacked in Bermuda. But the fact that we couldn’t be 100% sure really bothered our senior producer, Phia Benin.



So for the next couple of weeks, she tried to figure out if there was any way to get more clarity.  And about a month later, Phia brought us into the studio to tell us what she’d learned.



PHIA: Okay—so, there was just this one part of the story that was still nagging me—which is, if you remember, Uber said they sent emails to Alex when the like, weird activity was happening in Moscow. And Alex said he never saw any of those emails. Like, he never got them.



PJ: Yeah, even in his trash can, like, nothing, nothing, nothing.



PHIA: So, I wrote Melanie Ensign, that woman who works at Uber, and I was like, “I have to find those emails. When did you send those emails?” And she wrote me back. She didn’t actually send me the emails that they’d sent to Alex Blumberg. She’s just sent me four time stamps for the different times those emails should’ve gone out. And as she sent that to me, I actually heard from another listener who told me about something that I didn’t realize existed. Which is that there’s a place in Google Support that says, “Restore user’s permanently deleted emails.”



PJ: That’s nuts.



ALEX GOLDMAN: I didn’t know that that existed either. Does it restore them from the beginning of time?



PJ: I bet you—you can get like a month.



PHIA: You get 25 days.



PJ: (whispers) Nice job, me.



PHIA: And, uh, I learned about this when there were like—the day when Alex was on vacation was 26 days ago.



PJ: Nooo!



ALEX GOLDMAN: Get—get out of here.



PHIA: Oh no, no. Sorry. 24 days ago.



PJ: Aaah!



PHIA: (Laughs)



PJ: What a rollercoaster, man!



PHIA: (laughing) Sorry. Yeah so, I could look back, but I had like this tiny window where I could still look back, and it’s actually you have to like, submit something to Google and then they like, uh, you know, like scrape their system and send you everything.



PJ: I’m literally picturing like, a hard drive at Google Headquarters that like, a conveyor belt is moving towards an incinerator.



PHIA: It feels totally like that. And so like, um, we immediately submitted something to them, they did the scrape, they—they like said, “Ok, now everything should be there.” And I started looking at Alex’s email with all the restored emails.



PJ: And?



PHIA: (pauses) Nothing!



PJ: Whoa.



ALEX GOLDMAN: Get outta here.



[JAZZY DETECTIVE MUSIC]



PHIA: No emails from Uber. Like, this was so frustrating. So, I got on the phone with somebody from Google customer support. And was like, “You guys have not restored all the emails. Like, I know for a fact there are these four emails from these four different specific times. I’m not seeing them in here. You guys are Google. You have to be able to find them.”



PJ: And what’d they say?



PHIA: And the guy was like, “You know, I’ve never—I’ve never seen this happen before. This is really strange.” And like, I got so frustrated.



And then he told me that there was a whole different way that we could be approaching this, that I didn’t actually need to be talking to him at all. Um, because Gimlet’s email is through a Google Business Account, that through the administrator, I could actually see all the emails coming in and out of Gimlet Media, I could see the subject lines, the like, who they were to and who they were from, and when they came in.



PJ: I’m just quickly thinking about like every email I’ve ever sent at work. I was like, “Eh, it’s Gmail. It’s all private.” Good to know.



PHIA: Yes. Ok, so, let me—let me quickly pull it up for you. Um, it’s actually called the Admin Console, and there’s a feature in here called “Reports.”



PJ: Ok.



PHIA: So, you go into reports and there’s a place for email log search. And now you can look for like, the four specific emails that we know Uber says that they sent to Alex Blumberg. Um. So we’ll put Uber in the “sender field” and Blumberg in the “recipient” field. Does one of you wanna lead—drive this?



PJ: I wanna do it.



ALEX GOLDMAN: Alright.



PHIA: Ok.



PJ: Ok. So, I’m gonna hit search.



PHIA: Mhm.



PJ: Searching … Searching … Oh wow. So there’s one, two, three, four, five emails. So there’s many, but, they’re all just the ones from once Alex was like, “What’s going on with my thing?” “My account has an unrecognized charge,” “I can’t sign into my account,” “I can’t sign into my account,” “My account has an unrecognized charge.” And finally you get “Interview request: The case of the missing Uber account” (laughing).



ALEX GOLDMAN: I wrote that, uh, subject line.



PJ: Uh. So this is really interesting.



PHIA: Yes. This is when I changed from feeling like Google, scrape through your servers, find these emails to—



PJ: Uber.



PHIA: Maybe these emails never were sent.



ALEX GOLDMAN: Oh my god. This re—requires a dramatic sting. Like a dun dun dunnnn … Ok. I've done it. What happened?



PHIA: (Laughs)



PJ: So, yeah, this would seem to suggest that Uber either thinks they sent emails and didn’t send them. Or, in the worst scenario, is not telling the truth.



PHIA: Yeah.



PJ: Did you go back to Uber with this?



PHIA: (Long pause) Of course I did!



PJ: (Laughs)



ALEX GOLDMAN: Yeah, what kind of—even I wouldn’t ask that question.



PJ: Uh, so what did they say?



PHIA: Ok, so, yesterday—



PJ: You got us?



PHIA: So I wrote her yesterday, and she wrote me back fairly quickly, and here’s what she said: “Hi Phia! Great news! We figured it out!”



PJ: Uh-huh…



ALEX GOLDMAN: (Laughs)



PHIA: Alex’s—Alex’s password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.



PJ: Wow.



ALEX GOLDMAN: Ok.



PJ: Wait.



ALEX GOLDMAN: I’m still super confused…



PJ: Hold on—I have specifi—data dump? Whose data dump? Like she said “data dump on a botnet.” Like, are they saying, “Oh, things were actually breached?”



PHIA: So she followed up with a second email. And she said … let me see, “By the way, we found his account in data dumps from LinkedIn, Dropbox, and Myspace, which isn’t surprising since they announced previous data breaches. If he hasn’t changed those passwords recently he should.”



[MUSIC]



PJ: But we checked that.



PHIA: Right!



PJ: Wh-what did Uber say?



PHIA: Well, a couple hours ago, I came back into the studio with Alex Blumberg, who has a terrible head cold, and we called Uber.



[PHONE RINGS]



MELANIE ENSIGN: Hi, this is Melanie.



PHIA: Hi Melanie, it’s Phia!



MELANIE: Hi! How are you?



PHIA: Um, I’m here with Alex and I’m recording our call.



ALEX BLUMBERG: Hey Melanie!



MELANIE: Awesome! Hi Alex!



PHIA: Melanie said in order to solve this problem she needed to call in, like, the big guns.



MELANIE: We actually have an elite team within our security organization, uh, that deals specifically with account security and compromised accounts, um, and those types of issues. So I—I thought, “Why don’t I go spend some time with them and let’s actually do a legitimate forensics investigation and figure out what’s happened?”



ALEX BLUMBERG: Ok.



PHIA: Um, what happened?



MELANIE: It turns out the initial email address that was actually associated with your account—



ALEX BLUMBERG: Uh-huh.



MELANIE: —was your former email address from This American Life.



ALEX BLUMBERG: Ohhhhhhhhh.



ALEX GOLDMAN: Ooohhhhhhhhhhhhhhhhhhh.



PHIA: (Laughs)



PJ: So this is like his old work email address.



PHIA: Right.



MELANIE: So the notifications saying, “Your email address has been changed,” “Your phone number has been changed,” “Your password has been changed,” were all going to that address.



ALEX BLUMBERG: To the thislife.org address. Which is no longer even active. Which is a dead email address.



MELANIE: So those notifications are essentially going into the void.



PJ: Can I also just say this out loud so I make sure that I understand it?



PHIA: Yeah.



PJ: Ok. Basically, all that happened was Alex Blumberg forgot that years ago, when he signed up for Uber, he used an old work email address.



PHIA: Mhm.



PJ: He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.



And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides, and then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address. So he never saw it. And, also the hackers might have had access to that anyway.



PHIA: Yeah, and finding that out, it was like, everything all of a sudden started to click, like, remember how he didn’t have his ride receipts?



PJ: Yeah! I remember when we were talking about this like, off-mic, there was a point where he was like—he was like, “Yeah, yeah, yeah. I don’t get ride receipts.”



PHIA: Right. Everybody was like, “Hold on.”



PJ: And, we were like, “But everybody—everybody gets ride receipts.”



ALEX GOLDMAN: Yeah, of course you don’t.



PJ: But he was, they were just going to his old email account.



PHIA: Right.



PJ: Also, when we searched haveibeenpwned, we searched alex@gimletmedia, we didn’t search his old email address.



PHIA: Right. And if you do search that old email address, it has three breaches to it. It’s been pwned three times.



ALEX GOLDMAN: Are they—are they LinkedIn, Myspace, and Dropbox?



PHIA: Yes.



PJ: So there you go.



ALEX GOLDMAN: Wow, so we were not just wrong, but we were like double-extra-super wrong.



PHIA: Well, I think like, we were inventing something very complicated because with the data we had that was the most likely outcome.



PJ: Yeah.



PHIA: Or like, the most likely how it happened.



PJ: Did Alex—how did Alex react to all of this?



PHIA: Alex is so thrilled to actually have an answer to like—to know exactly what happened to his account.



PHIA: You feel like “case closed”?



ALEX BLUMBERG: I do! I feel like case closed.



PHIA: Yeah.



ALEX BLUMBERG: Wow!



PHIA: Took us a long time.



ALEX BLUMBERG: All it took was like dozens of engineers at Google, dozens of engineers at Uber, the entire staff of Reply All, a bunch of—a handful—



PHIA: (Laughs) Actually like, all of our listeners.



ALEX BLUMBERG: A bunch of listeners to Reply All, a handful of staff members at uh, at uh—at Gimlet, and my father.



PHIA: Yeah.



ALEX BLUMBERG: And me.



PHIA: Yeah.



ALEX BLUMBERG: Man! It makes it—so on the one hand, that’s great. On the other hand it’s like, what if you don’t have that at your disposal? Like, what are you supposed to do?



PHIA: You have to live with a lot more mystery in your life, I guess. And get a password manager.



ALEX BLUMBERG: Seriously.



PHIA: Yeah.



ALEX BLUMBERG: Boy, is there a lesson to this, isn’t there?



PHIA: There really is.



ALEX BLUMBERG: (Laughing) Yeah…



PHIA: And I don’t have one either. We’re both the worst. Ok.



ALEX BLUMBERG: (Laughs) Ok. Wait, should we just get one right now?



PHIA: A password manager?



ALEX BLUMBERG: I’m—I’m sitting in front of a computer.



PHIA: Oh my god, I don’t want to.



ALEX BLUMBERG: I don’t either.



[MUSIC]



ALEX GOLDMAN: Coming up after the break, the revelation that sent us back to this story.



[BREAK]



ALEX GOLDMAN: So everything you’ve heard up until now was part of our original reporting this past spring. And then, just a couple weeks ago, we started getting an avalanche of messages from listeners that were all saying the same thing: Have you seen the news?



News had just broken that hackers had stolen tons of Uber user data. 57 million users were affected, and the company hadn’t told anyone. They’d covered it up for a year. We wanted to know: Had they actually lied to us? Was Alex Blumberg not responsible for his account being stolen? So, I brought Alex and PJ back into the studio.



ALEX GOLDMAN: Hey, Alex Blumberg.



ALEX BLUMBERG: Yes.



ALEX GOLDMAN: We need to talk.



ALEX BLUMBERG: Ok.



ALEX GOLDMAN: (laughs)



ALEX BLUMBERG: We do.



ALEX GOLDMAN: Uh– go ahead.



ALEX BLUMBERG: Is this is a conversation where I'm going to feel sad and old and stupid at the end, or is this a conversation where I'm going to feel vindicated in my belief that a major, large corporation was lying to me?



ALEX GOLDMAN: Well as soon as I heard the news, I reached out to Uber. I contacted Melanie Ensign, who we talked to for the first story.



ALEX BLUMBERG: Right



ALEX GOLDMAN: And she wrote back to me and said, “At the moment, our teams are in going through the necessary disclosure process & investigations with regulators, so I'm not able to provide an interview until that requirement is complete".”



PJ: Ok



ALEX GOLDMAN: But, Alex Blumberg, I do have an answer for you, because I talked to a bunch of other people: people at Uber who didn’t want to be named, security experts, journalists, and I was able to put together a pretty clear picture of how this whole thing actually went down.



PJ: Ok.



And here’s the story I learned.



In fall of 2016, Uber gets an email. The email says, "I have a bunch of your information. Give me $100,000."



ALEX BLUMBERG: (whispering) $100,000?



PJ: It's like when Dr. Evil in Austin Powers doesn't ask for enough money (laughing).



ALEX GOLDMAN: One million. I'm embarrassed for actually having done the uh--



ALEX BLUMBERG: It's like so weird. It's- I know it's so bizarre that that's my first thing to go to, but like, literally, that my first thought was like, "Hacker, ask for more money. It's Uber!"



PJ: They probably spent that on their holiday party decorations.



ALEX BLUMBERG: Yeah!



ALEX GOLDMAN: (laughing) What a weird—you're probably right.



ALEX BLUMBERG: Yeah.



ALEX GOLDMAN: So in Uber’s statement, they said that there were two hackers involved in this hack.



ALEX BLUMBERG: Mmhmm



ALEX GOLDMAN: What happened was there was a guy who was really interested in trying to get access to the GitHub accounts of Uber employees. Do you know what GitHub is?



ALEX BLUMBERG: Uh huh. It’s a programming thing.



PJ: It’s where you go, uh, it’s sort of like, uh, “I’m working on a project, and I want to collaborate with strangers. So that’s where we’ll collaborate.”



ALEX GOLDMAN: Right, you can public ones and private ones. And so he hired like a mercenary second hacker to help him break into one of these accounts.



ALEX BLUMBERG: Oh okay



ALEX GOLDMAN: That’s the extent of that second person’s involvement.



ALEX BLUMBERG: He put together a team, basically. He’s like, “I need a GitHub hack man” or something.



PJ: It’s like Oceans 2



ALEX GOLDMAN: Oceans 2! That’s exactly right



ALEX BLUMBERG: (laughs) Ok



ALEX GOLDMAN: The hacker gets on this Github account, looks through some of the code on there, and finds the login information for a server. He hops on that server, and that’s where the hacker finds all the data of these Uber accounts.



ALEX BLUMBERG: Wow



ALEX GOLDMAN: And this had happened to Uber before: In 2014, another Hacker broke in again using GitHub. Although that time, it was driver data and the company actually disclosed it. Anyway. So Uber finds itself in this situation where there’s someone out there with a bunch of their data who’s asking for $100,000 .



ALEX BLUMBERG: Right.



ALEX GOLDMAN: So I mean, Uber could send the police after this guy, but there’s a good chance that news of this breach is going to get out if they do that. Now we can’t say exactly why Uber did what they did next but it definitely solved that problem.


They decide to go with this loophole that lets everyone in this situation get what they want.


ALEX BLUMBERG: Uh huh.



ALEX GOLDMAN: They say to this hacker, “Hey we have this program where we work with hackers, legally — it’s called a bug bounty program. And what a bug bounty program is..."



PJ: It's like, “If you find a hole in our fence, basically, and you tell us about it, we'll pay you. Rather than breaking in and stealing our stuff, if you want to look for security flaws, there's a bounty on it.”



ALEX GOLDMAN: Right. And so they say to this person, “Rather than holding this stuff for ransom, enter into our bug bounty program, and we will give you a reward.”



PJ: Which is not, that is the falsest distinction in the world. It's like, "I'm not paying a kidnapper’s ransom, but if we call it babysitting that I didn't ask for, then I can pay you it and it's fine." Like, it's a very window-dressing distinction.



ALEX BLUMBERG: Ok. So, alright, so they say, they have him enter the bug-bounty/ransom program.



ALEX GOLDMAN: (laughs)



ALEX BLUMBERG: Their bug-bounty/legal ransom program.



ALEX GOLDMAN: Right.



ALEX GOLDMAN: Uber actually works with this third party company that’s called HackerOne. And I spoke to the co-founder, this guy named Alex Rice. And he showed me the Uber bug bounty page. And um, the first thing I noticed right away is that they have like an average bounty reward and it is– Well, why don’t I just show you guys.



PJ: Ok. Finally, thank God. We finally get to see the average bug bounty rewards.



ALEX BLUMBERG: (laughs) Ok.



ALEX GOLDMAN: So they’re bounty statistics.



ALEX BLUMBERG: Ok



ALEX GOLDMAN: Average bug bounty range is between $500 and $540, and the top bug bounty range is like $10,000.



PJ: So $100,000, not a typical bug bounty. Something that looks a little more like, if you had to put an adjective on it, ransom-y.



ALEX GOLDMAN: I confirmed that $100,00 is the most that uber had ever paid for a bounty.



The second thing that I learned is that in order to get a payment from HackerOne, the hacker can’t just be a--an anonymous nobody on the internet. They have to fill out like tax forms, they have to fill out IRS questionnaires, they have to give a ton of identifying information to this company.



PJ: And then does HackerOne hold onto that, or does Uber get to find out about it?



ALEX GOLDMAN: Uber gets it



ALEX BLUMBERG: So who was it?



ALEX GOLDMAN: I was told it was a guy who was relatively young, in his early 20s. He was not like an IT computer professional, he was just some kid.



PJ: So it wasn’t like a super hacker.



ALEX GOLDMAN: Right. Uber makes this guy sign this thing, saying that if this information  makes it out into the world, he is on the hook. They will turn him over to the authorities. And he entered into an agreement with Uber where he allowed Uber onto his computer to run some forensic accounting to make sure all the data was gone.



PJ: And they know that they're safe, also, because of the “One Computer, One Person” law that was passed last year, which says that every person is only allowed to own one computer.



ALEX BLUMBERG: Exactly. My point exactly. (laughs)



PJ: And never use another computer.



ALEX BLUMBERG: Yes! Which would be great in a world without cloud computing, or hard drives, or other computers or anything.



ALEX GOLDMAN: Yeah, I talked to people in computer forensics, and they told me it was impossible to know beyond a shadow of a doubt whether this hacker copied this information elsewhere or not. But apparently, Uber was satisfied with the investigation, and as a last step, they went through all the accounts that were affected by the breach and flagged them. So on their–



PJ: What does it mean that they flagged the accounts?



ALEX GOLDMAN: What it means is, they have internally a record of all the accounts that were in this breach, so if any of those get hacked, they can look at it and say, "Oh! There's a pattern of these accounts getting hacked. This information might've gotten out."



PJ: I see. So it's kind of the way to make sure that the hacker, who they paid off to not tell people about the hack that they did, is keeping up their end of this completely absurd bargain.



ALEX GOLDMAN: That's correct. (pauses) Alex Blumberg.



ALEX BLUMBERG: Yes.



ALEX GOLDMAN: This brings us back to your case.



A source at Uber told me that your account did not have a flag on it. Which would mean that your account info was not stolen by this hacker. And that means that it’s still your fault.



ALEX BLUMBERG: (sighs)



PJ: (laughs)



ALEX BLUMBERG: Son of a bitch!



PJ: (laughs)



ALEX BLUMBERG: Are you serious?



ALEX GOLDMAN: I am serious.



ALEX BLUMBERG: Ahhh.



ALEX GOLDMAN: As far as we know, your This American Life account was compromised on some other website, and that is how the Russian passenger ended up with your Uber account.



PJ: Ok but just like, I understand Uber is not responsible for Alex’s problem. Alex is responsible for Alex’s problem. But like, putting that aside, they lied to us. Like I don’t understand why knowing what we know now, we should trust them as a company, like whatever they say.



ALEX GOLDMAN: Well I mean. Ok. First of all, just to be very clear, in the first part of the episode, Joseph Cox says that he specifically asked Uber if they've had a breach.



PJ: Yes and they said no.



ALEX GOLDMAN: So just to to give more context: He asked them that question in 2015 before this hack took place.



PJ: Ok.



ALEX GOLDMAN: To your larger question about whether they lied to us. I feel like it's a lie of omission. Like it doesn't feel good. It doesn't make me feel like, "Oh, OK. well they're on the up and up." But I don't think that it was an explicit lie, where they said we did not experience a breach when in fact they did.



PJ: Like you feel like they didn't lie in like a legalistic sense of it.




ALEX GOLDMAN: Right.



PJ: But you like they were dishonest.



ALEX GOLDMAN: That's correct. But, if you were to ask Uber they’d say, "Look we voluntarily disclosed this hack."



ALEX BLUMBERG: Yeah



ALEX GOLDMAN: And that was the decision of their new CEO who, in addition to voluntarily disclosing this hack, fired the chief security officer and a top lawyer, and has very publicly said like "We are Uber 2.0, and we are changing as a company."



Travis Kalanick, who was the previous CEO, has resigned.



On the other hand, Travis Kalanick is still on the board of directors at Uber. And Uber 2.0 hasn’t been exactly been forthcoming about the way that they’ve handled this hack. Like they haven’t sent emails to the affected users saying like, "Hey maybe you might want to change your password."



PJ: Which is really frustrating because it's like they're just saying like "We're holding the cards. You don't have a choice." Like you don't even get to know.



I don't know--I just. Ugh. I hate it. I just hate the impunity of it so much.



Like, basically I want them to say that we’re entitled to an explanation of why they did this in the first place. I want them to say like, really, really, like, "This is the calculation we made. Like, this is how we sat down, as cynical as it was or not, like, this was the argument against it, this was the argument for it. It was a mistake to lie--to not tell the truth, and we did it because of this, and we wouldn't do it now because of that. And categorically there's not another thing like this that's sitting there waiting to be discovered. And if it is--uh, we'll set all the cars on fire and go home.”



ALEX BLUMBERG: (laughs)



ALEX GOLDMAN: It seems like it would be really mean to set the cars of your contractors on fire.



PJ: I just want accountability.



ALEX BLUMBERG: (laughs)



[MUSIC]



ALEX BLUMBERG: I don't know why you're so upset--I should be the one who is so upset because--I--



ALEX GOLDMAN: You came in here--you came in here feeling like you were carrying the righteous sword of truth.



ALEX BLUMBERG: I was like, I thought vindication finally is mine.



ALEX GOLDMAN: And you still got owned.



ALEX BLUMBERG: I still got owned.



ALEX GOLDMAN: (laughs)


[MUSIC] 


ALEX GOLDMAN: Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, and Damiano Marchetti. We’re edited by Tim Howard. Additional production help from Khrista Rypl. Our intern is Anna Foley. We were mixed by Rick Kwan. Happy birthday, Rick! Our theme music is by the mysterious Breakmaster Cylinder, and our ad music is by Build Buildings. Fact-checking by Michelle Harris. Special thanks this week to Claire Tibbs, Daniel Boteanu, Mike Isaac, and Greg Bensinger. Matt Lieber is a room that is at the perfect temperature.




You can visit our website at replyall.limo, and you can find more episodes of the show on iTunes or Spotify or wherever you would like to listen to podcasts. We'll have a link to an article about the best password managers on our website, replyall.limo. Also, there’s a survey at replyall.club that we’re asking people to fill out right. Filling out the survey helps us find advertisers for the show, so if you have the notion, go ahead and fill it out. Thank you for listening. We’ll see you next week.