Stolen details included customer names, email addresses and phone numbers from around the world, although credit card details, bank account numbers and dates of birth were not believed to have been accessed.
While three sources familiar with the hack told Reuters a Florida man was responsible, the news agency said it was unable to identify the man.
But the company did not reveal any information about the hacker or how it paid him the money.
Uber declined to pursue criminal charges after determining that the person didn't pose an additional threat and eventually paid the hacker after confirming their identity and making them sign a nondisclosure agreement, Reuters reported.
The culprit's message was forwarded to Uber's "bug bounty" team and ultimately made its way to HackerOne, a third-party company that awards researchers for revealing security flaws in clients' products. Uber allegedly paid hackers a $100,000 ransom to delete the data and not disclose what had happened to the media and public.
Sources familiar with the hack told Reuters the payment was made through a program created to reward bug hunters who report flaws in a company's software.
HackerOne CEO Marten Mickos said he could not discuss an individual customer's programs.
Uber declined to comment, while HackerOne representatives didn't immediately respond to a request for comment.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
Mr. Khosrowshahi learned of the incident after becoming Uber's chief executive in August, and he's since terminated two employees implicated in its response, Joe Sullivan, Uber's former head of security, and a deputy, attorney Craig Clark.