Khosrowshahi did order a prompt investigation, as he claimed, but Uber and Mandiant (the digital forensics unit of FireEye) wanted to determine exactly how many users were affected and fire the two executives that covered up the attack. Uber told its would-be investor SoftBank about the breach roughly three weeks before the WSJ scoop, but it still didn't know just how many people were at risk.

Uber has confirmed the broader claims of the report. The company informed SoftBank with incomplete info because of its "duty to disclose to a potential investor," according to a statement, and revealed the breach in a "very public way" once its investigation wrapped up.

While Khosrowshahi inherited the hack from the previous management under Travis Kalanick and isn't facing much of a direct threat, the revelation isn't exactly going to help Uber as investigators from the FTC and individual states look into what happened. They may want to know why Uber's inquiry took so long, and whether or not Uber could have offered a basic warning to customers as soon as it knew their data was at risk. It'll need to have satisfactory answers if it wants to avoid the same kind of scrutiny as Equifax and other high-profile hacking targets.