Account Takeover Fraud , Cybercrime , Endpoint Security

Uber Probes Breach After Hacker Boasts About Intrusion

Hacker Announced in Internal Slack Messaging App: 'Uber Has Suffered a Data Breach'
Uber Probes Breach After Hacker Boasts About Intrusion
Photo: Andrew Caballero-Reynolds/AFP/Getty Images

Ride-hailing service Uber is probing a hack attack after an intruder appeared to breach multiple internal systems. Uber has taken its internal communications system and some tools offline while it investigates.

See Also: New OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

News of the attack was first reported by The New York Times, which says a hacker has claimed responsibility for the intrusion and shared with it emails confirming the attack, as well as screenshots of Uber's cloud storage and code repositories.

What the attacker might have accessed remains unclear. Information shared by the hacker suggests they compromised, bypassed or accessed Uber's Duo Security, OneLogin, Amazon Web Services and Google Workspace environments, as well as sales metrics tools, VMware server management software and an anti-malware administrator portal.

The attacker also accessed Uber's HackerOne account, giving them access to vulnerability reports, says Sam Curry, a staff security engineer at blockchain technology company Yuga Labs. HackerOne says it has been working with Uber to block the attacker's access.

Reached for comment, Uber declined to detail the full scope of the attack or investigation.

"We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates as they become available," an Uber spokesperson tells Information Security Media Group.

News of the Uber breach comes just a few months after the ride-hailing service reached an agreement with the U.S. Department of Justice to resolve a criminal investigation into a massive data breach it suffered in 2016 (see: Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution).

No Joke

Uber employees Thursday afternoon reportedly received a message via the company's Slack messaging app that read: "I announce I am a hacker and Uber has suffered a data breach."

Many employees initially suspected it was a joke, the Times reports, until Uber CISO Latha Maripuri announced that multiple systems had been taken offline as a precaution, warning them that the hack was under investigation and the company didn't have "an estimate right now as to when full access to tools will be restored."

The hacker told the Times they had compromised an employee's Slack account and used social engineering - pretending to be an IT employee - to obtain credentials allowing them to access other internal systems.

The hacker also criticized Uber, saying it doesn't pay drivers enough.

Per the screenshots provided to the Times, the attacker could "absolutely" have accessed employee and customer information, Yuga Labs' Curry tells ISMG. But he adds that "whether or not they actually went and retrieved that data is the question."

The attack, and attempts to mitigate it, appear to be continuing to disrupt operations. "At Uber, we got an 'URGENT' email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message 'F*** you wankers,'" an employee told Curry.

How the Breach Unfolded

The impact of the hack attack on Uber appears to be "severe and wide-ranging," says Bill Demirkapi, a security researcher at Microsoft, who notes that Uber's incident response team is probably now hunting in particular for any backdoors the attacker may have left inside its infrastructure.

Based on details shared by the attacker, Demirkapi says they appeared to set up a fake domain, backed by tools such as Evilginx, which allowed them to reroute traffic and trick an employee into sharing their Cisco Duo Security multifactor authentication one-time code. "Once the attacker compromised an employee, they appear to have used that victim's existing VPN access to pivot to the internal network," he says.

If so, that would make Uber the most recent in a long line of companies to have been breached by attackers fooling employees into sharing their one-time MFA codes, including Cisco, DoorDash, Mailchimp, Twilio and more (see: Okta Customer Data Exposed via Phishing Attack on Twilio).

"How does an organization even protect themselves against such an attack? For starters, using 'phishing-resistant' forms of MFA, such as FIDO2, is an extremely effective measure against these social engineering attacks," Demirkapi says (see: Hardware MFA Stops Attack on Cloudflare).


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.