Khosrowshahi took over the company in September after embattled Uber co-founder Travis Kalanick stepped down as CEO in the summer.
"None of this should have happened, and I will not make excuses for it", he wrote.
Two hackers penetrated GitHub which is a private site used by Uber software engineers to obtain access to login credentials that were used to access an separate cloud-services provider.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 USA drivers, Mr Khosrowshahi said. "We are changing the way we do business".
While it's certainly concerning that our personal data has been leaked to outsiders without us even knowing, Uber's CEO insisted there was no "evidence of fraud or misuse tied to the incident".
"Cloud services, such as AWS, are secured with SSH [secure shell] keys that are often outside the control of security teams", said Kevin Bocek, vice-president of security strategy and risk intelligence at Venafi.
As the United Kingdom data protection regulator has opened an investigation into the hack of customer and driver data at Uber, the maximum penalty could be about £500,000 ($662,350, €563,000) under current British law for organizations that fail to notify affected users and regulators when data breaches occur.More news: Met Police investigate second allegation against Kevin Spacey
Law enforcement advises companies to not pay hackers and report breaches to the authorities.
"If we do use the NDB legislation and its reporting properly, I would say in the future we will gather better empirical data around incidents and breaches that will give you better quality statistics and trends around this - particularly around the government sector, which often seems to be a bit of a black box".
Uber has always failed to protect driver and passenger data.
- Affair site cracked - In August 2015 hackers calling themselves The Impact Team published almost 30 gigabytes of files including the names and credit card data of people who had signed up with Ashley Madison, a website facilitating extra-marital affairs.
Attorneys general in at least three states, including MA and NY, have already launched investigations into the hack.
Khosrowshahi said the company fired two individuals who led security response. In addition to its legal troubles, Uber has faced criticism for sexual harassment issues, underpaying and deceiving drivers, questioning a rape victim, and surge pricing during times of crisis.
Businesses need to recognise that data breaches are a threat they face and they should be prepared to deal with them effectively to maintain customer trust, say security advisers. Joe Sullivan, Uber's chief security officer, is no longer with the company, it said.