Taxi firm Uber has admitted two hackers accessed personal data of its 57 million users and drivers.
The attack, which occurred in late 2016, gave up names, email addresses and phone numbers of its users and drivers, the company said.
Bloomberg, which first broke the news, said the breach was hidden by the firm, which paid hackers $100,000 (£75,000) to delete the data.
The company’s former chief executive Travis Kalanick knew about the breach at the time, it said.
Discovery of the company’s handling of the incident led to the departure of two employees who led Uber’s response to the incident, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Kalanick.
Khosrowshahi said he had only recently learned of the matter himself.
The company’s admission that it failed to disclose the breach comes as Uber is seeking to recover from a series of crises that culminated in the Kalanick’s ouster in June.
According to the company’s account, two individuals downloaded data from a third-party cloud server used by Uber, which contained names, email addresses and mobile phone numbers of some 57 million Uber users around the world.
They also downloaded names and driver’s license numbers of some 600,000 of the company’s U.S. drivers, Khosrowshahi said in a blog post.
He said he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to help him figure out how to best guide and structure the company’s security teams and processes.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in the blog post.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he said.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”