Uber Technologies paid hackers $US100,000 ($A140,000) to keep secret a massive breach last year that exposed the personal information of about 57 million accounts of the ride-service provider including some Australian users, the company says.
Discovery of the US company's cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post.
The breach occurred in October 2016 but Khosrowshahi said he had only recently learned of it.
The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick's ouster in June.
News that makes sense
Your trusted source for staying up-to-date with the world around you. Get free daily news updates and analysis, straight to your inbox.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 US drivers, Khosrowshahi said.
Uber passengers need not worry as there was no evidence of fraud, while drivers whose licence numbers had been stolen would be offered free identity theft protection and credit monitoring, Uber said.
Some Australian users were part of the global breach, Uber confirmed after informing Australia's privacy commissioner.
It has not specified how many of its 3.1 million Australian riders were caught up in the breach.
Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on software code. There, the two people stole Uber's credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.
A GitHub spokeswoman said the hack was not the result of a failure of GitHub's security.
Bloomberg News first reported the data breach on Tuesday.
Khosrowshahi said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said.
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week because of their role in the handling of the incident. Sullivan, formerly the top security official at Facebook and a federal prosecutor, served as both security chief and deputy general counsel for Uber.
