Task 1 of 4

How a Forgotten Subdomain Cost Uber $148 Million

In 2016, attackers breached Uber and stole personal data on 57 million riders and drivers. The entry point wasn't the main app — it was a forgotten staging subdomain that still had access to production credentials.

THE ATTACK — STEP BY STEP
Step 1 Attackers found a non-public GitHub repository belonging to an Uber developer
Step 2 Inside the repo: hardcoded AWS credentials in a config file on a non-main branch
Step 3 The credentials gave access to an S3 bucket containing a database backup
Step 4 Inside the backup: 57 million user records — names, emails, phone numbers
Step 5 Uber paid the attackers $100,000 to delete the data and stay quiet — and hid the breach for a year

The fine: $148 million. The CEO who authorised the cover-up was criminally charged. All of it started because nobody knew a dev had pushed credentials to a private GitHub repo on a forgotten branch.

Why asset discovery matters

Big companies have hundreds of subdomains. Most were set up years ago by different teams. Some got forgotten. Some are still running old software. Some expose internal tools to the internet. Attackers find them. Bug bounty hunters find them first.

WHAT HUNTERS FIND ON FORGOTTEN SUBDOMAINS
dev.target.com
Development servers with debug mode on, real production credentials in env vars
staging.target.com
Pre-production with real user data, weaker auth, older unpatched software
admin.target.com
Internal admin panels exposed to the internet with default credentials
old.target.com
Ancient version of the app running a framework with known CVEs
jenkins.target.com
CI/CD systems — if you get in, you can push code to production
1

In the Uber breach, what was the initial entry point that led to 57 million records being stolen?

Answer all 1 question to continue