According to the indictment documents, the two infiltrated Lynda's Amazon web server to steal information and then tried to extort the company through its bug bounty program. They reportedly contacted Lynda using a fake identity, telling the LinkedIn-owned subsidiary that their team was able to "access backups upon backups" and that they'd like a huge reward. "[P]lease keep in mind, we expect a big payment as this was hard work for us, we already helped a big corp which paid close to 7 digits, all went well," their email read.
TechCrunch says they used a similar MO to get Uber to pay $100,000 back in 2016. The two allegedly infiltrated Uber's Amazon web server, as well, using credentials one of the ride-hailing firm's engineers left in a GitHub repository. After it came to light that Uber hid the breach from users and authorities, the FTC investigated the incident and came to the conclusion that the hackers demanded a six-figure payout.
As part of its settlement with the FTC, Uber was slapped with a $148 million fine and had to agree to 20 years of privacy audits. It's not clear at the moment if Mereacre and Glover will also be formally charged for the Uber breach, but the former is scheduled to appear in court on November 8th.