After Uber’s data breach in 2014, in which the names and driver’s license numbers of 50,000 of its employees were stolen, the company filed a “John Doe” lawsuit against the unknown thief. By filing the suit, Uber was able to convince a California district court to issue subpoenas to GitHub and Comcast.

Image for article titled Developers keep leaving secret keys to corporate data out in the open for anyone to take

The GitHub subpoena ordered that the company release the IP addresses of everyone who visited any page on its website where Uber’s login credentials had been published. The Comcast subpoena required that the company turn over the names and addresses of the people linked to those IP addresses.

GitHub said it could not comment on the matter, but it did apparently turn over the IP addresses to Uber. Citing anonymous sources, Reuters reported last October that one of the IP addresses had been traced back to Chris Lambert—the chief technology officer of Uber’s biggest rival, Lyft.

By December, the US Justice Department had launched an investigation into the data breach, but has not said whether it’s looking into Lyft’s possible involvement. In a statement sent by email, Lyft said it was not in any way involved in the data breach.

“We investigated this matter long ago,” the statement said, “and there is no evidence that any Lyft employee downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”

📬 Sign up for the Daily Brief

Our free, fast, and fun briefing on the global economy, delivered every weekday morning.