The two people who hacked ride-hailing firm Uber’s data in 2016 were in Canada and Florida at the time, a company security executive told a U.S. congressional committee on Tuesday.

About 25 million people whose data was compromised in the breach live in the United States, Uber Technologies Inc chief information security officer John Flynn said in written testimony to a Senate Commerce Committee panel. Of those, 4.1 million were drivers, said Flynn, whose testimony described new details about the hack, the handling of which prompted newly appointed Uber Chief Executive Officer Dara Khosrowshahi to fire two top security officials.

The U.S. Department of Justice has begun a criminal investigation into Uber Technologies Inc's use of a software tool that helped its drivers evade local transportation regulators.

Uber has acknowledged the software, known as "Greyball," helped it identify and circumvent government officials who were trying to clamp down on Uber in areas where its service had not yet been approved, such as Portland, Oregon. The company prohibited the use of Greyball for this purpose shortly after journalists revealed its existence in March, saying the program was created to check ride requests to prevent fraud and safeguard drivers.

Uber was threatened with removal from the iPhone's App Store after the car-hailing company bypassed Apple's rules by tagging iPhones that had deleted its app. Apple's chief executive held a meeting with Uber boss in which he personally warned that the Uber app would be deleted.

Uber reportedly circumvented App Store rules by installing a piece of code that could identify individual iPhones even after the app had been deleted. The technology was not used to track location but kept a record of individual iPhones. This means that if the Uber app was downloaded onto a device, the company could tell if the app had previously been installed and deleted on it.

Despite its short life, Uber has already faced waves of fraudulent activity. In 2015, hackers broke into and sold wads of Uber accounts on the dark web, and at around the same time scammers in China used modified smartphones to place fake Uber bookings.

More recently, English-speaking fraudsters have also allegedly been spoofing Uber rides, pretending to be both a driver and customer, and tricking the company out of cash in the process. “Despite the security concerns with hacked accounts and lackluster security that are have plagued Uber for most of the past year surprisingly, more and more people are joining,” one scamming guide reads.

Imagine you’re on your way to a therapy appointment in a downtown high-rise. You hail an Uber and enter a nearby coffee shop as your destination so you can grab a snack before the appointment. In the car, you scroll through Instagram and check your email.

You get out, buy your coffee, and walk around the corner to your therapist’s office. If you installed the latest app update, Uber has been tracking your location the entire time. The app update changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company.

The FBI has proposed keeping its database of fingerprints, iris scans and photographs exempt from privacy laws, prompting companies like Lyft and Uber to join advocacy groups in saying they are “deeply concerned” about the proposed change.

The bureau wants to shield its massive biometric database, called the Next Generation Identification (NGI), from Privacy Act rules that require a person to be notified if they are in a government system, as well as rules that let people ensure that the information the government is holding about them is accurate. The FBI’s proposal was first published in early May.

Uber accidentally exposed the personal data of hundreds of its drivers last night, revealing social security numbers, pictures of driver licenses, vehicle registration numbers, and other information.

Drivers registered with the ridesharing company first noticed the leak and dedicated Uber message boards. One driver said that he was presented with thousands of confidential documents from other drivers when he tried to upload a document of his own, saying that he saw "a lot of taxi certification forms and livery drivers licenses" in addition to "W-9 forms with Social Security numbers for taxi cab companies."

​One dollar could buy you a stolen password to an Uber account and free car rides around town. Vendors on dark net sites are offering active Uber username and login details for $1.

Motherboard said it was able to verify that some of the accounts were still in use by Uber members and that, in one case, a previously hacked Amazon password was likely used to get into an Uber account because the passwords were the same. The company said it investigated the issue, and found no evidence of a breach. In May 2014, the company suffered a security breach that affected thousands of Uber's current and former drivers.