Uber Suffers Major Cybersecurity Breach

Close up of Uber logo on a wall

Global ride-hailing giant Uber announced on Friday that it is investigating a cybersecurity incident. A hacker allegedly breached the company’s computer network on Thursday. Uber consequently shut down its internal systems, including communication tools such as Slack.

According to The New York Times, the hacker tricked an Uber employee into handing over a password, granting them access to the company’s systems. The hacker has since shared several screenshots displaying the magnitude of the breach.

“They pretty much have full access to Uber,” Sam Curry, a cybersecurity engineer at Yuga Labs who interacted with the threat actor, told the New York Times. “This is a total compromise, from what it looks like.”

18-Year-Old Hacker Breached Uber

The hacker told the New York Times that he was 18 years old and broke into Uber’s systems due to its weak security. The hacker used social engineering to gain access to Uber’s network. Social engineering refers to devious manipulation schemes used by malicious actors who impersonate a trusted party to lure victims into divulging sensitive information.

In this case, the attacker sent an Uber employee a text message claiming to be a corporate IT person. He convinced the employee to hand over a password, giving him access to Uber’s systems. Following the initial breach, the hacker accessed a wide range of Uber’s resources. This includes admin access to Uber’s domain and its Amazon Web Services console, VMWare vSphere, and Google Workspace accounts.

The hacker’s screenshots also showed he has access to the company’s financial data and, ironically, its SentinelOne (enterprise cybersecurity) account.

The hacker sent a message over Slack to Uber’s employees, claiming responsibility for the breach. “I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneaker,” the message said.

A spokesperson for Uber told the New York Times that the attacker sent the message from an employee’s Slack account after compromising it.

Uber’s Response to the Security Breach

Following the incident, Uber has told its employees not to use Slack. Furthermore, two unidentified employees told the New York Times that other internal systems were inaccessible. The company said it’s in contact with law enforcement regarding the breach. However, it did not reveal any information about the extent of the breach and whether it exposed sensitive user data.

“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” Uber tweeted.

The New York Times also came across an internal email from Latha Maripuri, Uber’s chief information security officer, where she said it was unclear “when full access to tools will be restored…”

We’ll update this story as more information becomes available.

There has been a rise in social engineering attacks against major tech companies. This year alone, malicious actors have targeted several high-profile companies, including Microsoft, Okta, Twilio, and MailChimp. The first two attacks were carried out by the Lapsus$ gang, which is reportedly run by teenagers.

To learn more about these attacks and how to protect your organization, check out our in-depth guide to social engineering.

Update 20th September 2022: Uber issued a security update on Monday, September 19, providing new information regarding the breach. The company said the source of the breach was an Uber EXT contractor who had their account compromised. The contractor’s credentials were most likely stolen and sold on the dark web, Uber said. The hacker repeatedly tried to log in and eventually gained access. 

Uber said it is likely that the hacker(s) is affiliated with the Lapsus$ hacking group. The company said there’s no indication that the breach exposed any sensitive user data.

“First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection,” the company said.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.