Generally, penetration testing companies will do a security audit of the client's systems. This would include targeted attacks and one of the first things they do is try to find passwords saved in plaintext in config files.
A looooot of shitty devs saved db admin credentials in config files. eg: .NET saves database connection strings in the web.config file and some lazy developers save the username and password in there too.
So first of all, the github (code sharing) account for uber developers was accessed probably by using some known passwords (whoever gave them that account didn't make sure the password conformed to security standards). THEN whoever got into the codebase simply looked at the config file for the db, in which the db credentials were saved unencrypted by some slob dev.
These problems would have definitely been picked up by any decent pen testing firm and Uber would have received a detailed report of all possible attack vectors among other things.
Uber pretending that it isn't at fault is a joke and they will absolutely be fined a crazy amount. Hopefully serves as a lesson to other companies dealing with sensitive data.
