According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.
After Uber discovered the unauthorized download, it examined the Internet Protocol addresses of every visitor to the page during the time between when the key was posted and when the breach occurred, according to court documents. The Uber review concluded that "the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated" from suspicion, court papers say.
So for months this key was sitting on a public website and they've managed to eliminate every other address from suspicion?
Unless the actual URL was somehow hidden that sounds very unlikely, I'd wager there are hacking groups who write robots to crawl around the web looking for private keys.
We don't even know in what form the key was posted, if it were sitting in some chunk of code that Uber had posted to GitHub I wouldn't be in the least surprised that the Lyft CTO decided to checkout the project to see what the rival company was doing.