wordpress blog stats
Connect with us

Hi, what are you looking for?

Uber systems hacked by 18-year old in a ‘major breach’? Here’s what we know so far

Update (20 September, 9:00 am): Uber published a more detailed report on September 19 of the incident, highlighting what happened, what steps the company took, the impact on customers, and who is responsible for the breach.

Original Story:

What happened: On September 15, New York Times reported that Uber was investigating a cybersecurity breach and took several of its internal communications and engineering systems offline as a precaution. Uber later that day confirmed the development with a tweet and said that it is investigating the incident:

Why does this matter: Sam Curry, a security engineer at Yuga Labs who corresponded with the alleged hacker, told The Times that “this is a total compromise” and the hackers “pretty much have full access to Uber.” If this turns out to be true, it would be a major breach of the ride-hailing giant that provides millions of rides per day and stores sensitive customer details.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

What has been compromised: According to cybersecurity experts who spoke with the alleged hacker, the breach appears to have compromised various internal systems of Uber including its Amazon Web Services and Google Cloud Platform accounts, which would give the hacker access to the company’s source code, internal email, etc. Uber’s latest update on September 16, however, said that there is no evidence of sensitive user data being compromised:

“I announce I am a hacker”: The hacker, who claims to be an 18-year-old who did it because Uber had weak security, compromised a worker’s Slack account and sent a message that read: “I announce I am a hacker and Uber has suffered a data breach.” The message also listed several internal databases that were allegedly compromised, NYT stated. The hacker also added a hashtag saying that Uber underpays its drivers. Until Uber took its Slack system offline, many in the company thought it was a joke and interacted with the message, the Washington Post reported.

How was the hack carried out: In Uber’s case it appears that the hacker had the password of a worker in the company and then sent a push notification for multi-factor authentication to the worker’s phone, getting them to accept it by claiming to be an IT person at the company.

With this, the hacker accessed Uber’s VPN and subsequently connected with the company’s corporate intranet, allowing him access to sensitive files, one of which had an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company such as AWS and Google Cloud, The Verge explained.

This type of hack is usually referred to as social engineering, which is defined as “the psychological manipulation of people into performing actions or divulging confidential information.” Social engineering hacks are notorious because they can be used to target companies that otherwise have strong security systems.

For a more detailed explanation of how the hack was carried out, here’s a thread by cybersecurity researcher Bill Demirkapi:

Not Uber’s first major hack: Back in October 2016, hackers stole information about 57 million driver and rider accounts and demanded $100,000 from Uber to delete the data. While Uber made the payment, it didn’t disclose the breach for more than a year.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples


In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection


The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.


The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ