Uber Technologies Inc. says it’s investigating a “cybersecurity incident” after a hacker breached its internal systems and left messages with evidence that they had accessed critical information.
“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” the Uber Communications account tweeted Thursday evening.
The New York Times, which was the first to report on the incident, said the hacker posted to the internal communication system within Uber during the attack with a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The same message went on to list several internal databases the hacker claimed to have compromised.
The Times, which said it spoke with the hacker, said the attack had been carried out using a social engineering attack on an employee, which led to the theft of their password. This kind of attack involves tricking someone into giving away access credentials through an email, phone call or website that then allows a third party to access internal systems.
“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”
Screenshots shared by the hacker appear to reveal a multitude of critical Uber systems, including security software, Amazon Web Services console, VMWare virtual machines, Google email admin dashboards and the Slack server. Employees were asked to log out of the Slack server while Uber investigates.
Chris Vaughan, an area vice president of technical account management at cybersecurity firm Tanium Inc., said big organizations such as Uber are common targets for hackers because of the monetizable assets within their databases such as customer and driver records.
“This is another example of a relatively simple attack causing a big incident and potentially huge reputational damage for the victim organization,” Vaughan said. “The attacker social-engineered an employee to gain access to the network via VPN. Once in, they were able to find hard-coded passwords in scripts and then used them to infiltrate several parts of the network. This includes gaining access to their admin management tools as well as several databases.”
From a cursory analysis, Vaughan said, it would appear that the attacker may have had access to data of both drivers and customers.
So far Uber has not given any details about what data the hacker may have compromised. Uber has said that the hack is currently under investigation.
A group of hackers responsible for a string of recent cyberattacks used social engineering to compromise Twilio Inc. and attempted to breach Cloudflare Inc. The same attackers were soon discovered to have targeted more than 130 organizations in the same campaign.
This is not the first time Uber has been compromised. In 2021, the company fired its chief security officer after it claimed he hid details of a hack in 2016 that exposed over 57 million customer records and the license numbers of about 100,000 Uber drivers. It was also revealed that the company’s ex-security chief had paid the hackers $100,000 in ransom to cover their tracks and keep the breach quiet.
“Uber’s security program is more mature than most,” Sysdig Inc. Director of Cybersecurity Strategy Michael Isbitski told SiliconANGLE. “It clearly includes the use of multifactor authentication to strengthen remote access, privilege access management to protect privileged credentials, and service integration to support security automation. This event shows that even with security controls in place, breaches will happen.”