Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.
The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke news of the breach.
Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.
The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp and Okta.
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay.
According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high-privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.
“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said in a LinkedIn post, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee’s password.
The attacker is also believed to have gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.
Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise,” said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program.
In a statement given to TechCrunch, Chris Evans, HackerOne CISO and chief hacking officer, said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”
This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete the data. Uber made the payment to the hackers but kept the news of the breach quiet for more than a year.
If you know more about the Uber breach, you can contact this author via Signal at +44 1536 853968.