Uber breached security and its systems were hacked again

Uber revealed yesterday that its computer network had been breached, forcing the company to remove several internal communications and engineering systems while it investigated the extent of the hack.


The breach appears to have compromised many of the company’s internal systems, and the person claiming responsibility for the hack sent images of emails, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They have almost complete access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed responsibility for the breach. “This is total commitment, as it stands.”

Read more:

Credit: Shutterstock

An Uber spokesperson said the company is investigating the breach and contacting law enforcement.

Uber employees were told not to use the company’s internal messaging service, Slack, and were told that other internal systems were down, said the two employees, who were not authorized to speak publicly.

Just before the Slack system went down on Thursday afternoon, Uber employees received a message that read: “I am announcing that I am a hacker and that Uber has suffered a data breach.” The message listed several internal databases that the hacker claimed were compromised.

A hacker compromised a co-worker’s Slack account and used it to send a message, an Uber spokesperson said. The hacker also appears to have gained access to other internal systems by posting an explicit photo on an internal employee information page.

The person who claimed responsibility for the hack told The New York Times that he sent a text message to an Uber employee claiming to be an expert in corporate information technology. The worker was persuaded to hand over a password that allowed the hacker access to Uber’s systems, a technique known as social engineering.

“These types of social engineering attacks against technology companies are on the rise,” said Rachel Tobac, CEO of SocialProof Security. Tobac recalled the Twitter hack in 2020 in which teenagers used social engineering to break into the company. Similar techniques were used in recent breaches at Microsoft and Okta.

“We’re seeing attackers getting smarter and also documenting what it’s doing,” Tobac said. “Now they have kits that make it easy to implement and use these social engineering methods. It has almost become a product, a commodity.”

The hacker, who provided screenshots of Uber’s internal systems to demonstrate his approach, said he was 18 years old and had been working on his cybersecurity skills for several years. He said he broke into Uber’s systems because the company had lax security. In the Slack message announcing the breach, the person also said that Uber drivers should be paid more.

The person appears to have had access to Uber’s source code, email and other internal systems, Curry said. “This kid who joined Uber doesn’t seem to know what to do with it, and he’s having a great time,” he said.

In an internal email seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t yet have an estimate of when full access to the tools will be restored, so we thank you for joining us,” wrote Latha Maripuri, the company’s director of information security.

This is not the first time a hacker has accessed Uber data. In 2016, hackers stole information from 57 million driver and passenger accounts, then approached Uber and demanded $100,000 to delete their copy of the data. Uber agreed to pay, but kept the breach a secret for more than a year.

Joe Sullivan, who was Uber’s chief security officer at the time, was fired for his role in the company’s response to the hack. Sullivan was charged with obstruction of justice for failing to disclose the breach to regulatory authorities and is currently on trial.

Sullivan’s lawyers argued that other employees were responsible for the regulatory disclosures and said the company used Sullivan as a scapegoat.

via the NY Times

Have you seen our new videos on YouTube? Subscribe to our channel!

Leave a Reply

Your email address will not be published. Required fields are marked *