The two people who hacked ride-hailing firm Uber’s data in 2016 were in Canada and Florida at the time, a company security executive told a U.S. congressional committee on Tuesday.

About 25 million people whose data was compromised in the breach live in the United States, Uber Technologies Inc chief information security officer John Flynn said in written testimony to a Senate Commerce Committee panel. Of those, 4.1 million were drivers, said Flynn, whose testimony described new details about the hack, the handling of which prompted newly appointed Uber Chief Executive Officer Dara Khosrowshahi to fire two top security officials.

Uber has ignored a security bug that can allow an attacker to hack into user accounts by bypassing two-factor authentication because the ride sharing company says the flaw "isn't a particularly severe" issue.

Two-factor authentication is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password -- which can be be stolen -- by sending a code by text message to your phone, for example, which only you would have access to. More sites than ever are using two-factor to double-down on security after a spate of breaches in recent years that have exposed billions of passwords to hackers, who can use them to sign and take over accounts. 

A former Uber security manager says an espionage team inside the ride-hailing service used former CIA agents to help the company spy on its rivals overseas.

The testimony in a San Francisco courtroom Tuesday comes amid revelations that federal prosecutors are investigating allegations that Uber deployed an espionage team to plunder trade secrets from its rivals. That has triggered a delay in a high-profile federal trial over whether the beleaguered ride-hailing service stole self-driving car technology from a Google spinoff. Uber’s manager of global intelligence said that Uber hired several contractors that employed former CIA agents

Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.

The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private. The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board. The two hackers stole data about the company’s riders and drivers. 

Life for Uber hasn't gotten easier. Experts revealed that the U.S. Justice Department is investigating five cases against the ride-hailing giant, two of which were previously unreported.

In the two previously unknown cases, authorities are looking at whether Uber violated price transparency laws and determining how the company may have stolen documents from Alphabet's self-driving technology division. This news comes amid other legal scandals like Uber's Greyball program. Over the last year, the ride-hailing giant has been scrutinized over its toxic workplace culture and other shady practices. 

The U.S. Department of Justice has begun a criminal investigation into Uber Technologies Inc's use of a software tool that helped its drivers evade local transportation regulators.

Uber has acknowledged the software, known as "Greyball," helped it identify and circumvent government officials who were trying to clamp down on Uber in areas where its service had not yet been approved, such as Portland, Oregon. The company prohibited the use of Greyball for this purpose shortly after journalists revealed its existence in March, saying the program was created to check ride requests to prevent fraud and safeguard drivers.

Uber was threatened with removal from the iPhone's App Store after the car-hailing company bypassed Apple's rules by tagging iPhones that had deleted its app. Apple's chief executive held a meeting with Uber boss in which he personally warned that the Uber app would be deleted.

Uber reportedly circumvented App Store rules by installing a piece of code that could identify individual iPhones even after the app had been deleted. The technology was not used to track location but kept a record of individual iPhones. This means that if the Uber app was downloaded onto a device, the company could tell if the app had previously been installed and deleted on it.

A secret Uber program internally dubbed “Hell” allegedly spied on arch-rival Lyft to determine which drivers were working double shifts for both companies, letting the cab-hire app steer more work towards them in an attempt to deprive its competitor of workers.

The report of the “Hell” program continues a string of uncomfortable claims for the company, still dealing with the fall-out of a string of sexual harassment allegations at the beginning of the year, and now operating with a brand new head of public policy and communications following the departure of its previous PR chief, Rachel Whetstone, on Tuesday.

Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was resisted by law enforcement or, in some instances, had been banned.

The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials who were trying to clamp down on the ride-hailing service. Uber used these methods to evade the authorities. Greyball was part of a program called VTOS, short for “violation of terms of service,” which Uber created to root out people it thought were using or targeting its service improperly.

Intel, Uber and IoT company Aeris have joined forces in an effort aimed at fostering industry cooperation when it comes to building safety features into autonomous vehicles and the systems that support them. Today the group, which goes by the name Future of Automotive Security Technology Research, issued a manifesto explaining its intentions.

The manifesto hopes to galvanize the nascent and sometimes balkanized autonomous vehicle industry. It’s call to action is to infuse security into the emerging and diverse autonomous vehicle supply chain comprised of automakers, component manufacturers, software engineers and cloud providers.