Wednesday, September 28, 2022
Home Reviews Uber investigating cybersecurity incident after hacker breaches its internal network

Uber investigating cybersecurity incident after hacker breaches its internal network

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke the news of the breach. 

Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the NYT that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp, and Okta.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach”, the NYT reports. The hacker also reportedly said that Uber drivers should receive higher pay. 

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface, and the company’s EDR portal.

“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee’s password. 

The attacker is also believed to have gained administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program. 

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise”, said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program. 

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and Chief Hacking Officer said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

- Advertisment -

Most Popular

Former Calgary Dino now a rookie with NFL’s Los Angeles Chargers

Canadian Deane Leonard has certainly taken the path less travelled to the NFL’s Los Angeles Chargers. The 22-year-old cornerback is in his rookie season with...

‘Impact success!’ Nasa spacecraft smashes asteroid in first ever ‘planetary defence test’

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Nasa has successfully crashed a spacecraft into a small asteroid...

TikTok could face £27m fine for failing to protect children’s privacy

TikTok could face £27m fine for failing to protect children’s privacyInvestigation finds video-sharing app may have breached UK data protection law between 2018 and...

Eight states sue crypto lender Nexo over security sales and misleading marketing

/ New York’s attorney general alleges that the company’s Earn Interest Product was a security, one that the company wasn’t registered to sell,...