wordpress blog stats
Connect with us

Hi, what are you looking for?

Uber systems hacked by 18-year old in a ‘major breach’? Here’s what we know so far

Update (20 September, 9:00 am): Uber published a more detailed report on September 19 of the incident, highlighting what happened, what steps the company took, the impact on customers, and who is responsible for the breach.

Original Story:

What happened: On September 15, New York Times reported that Uber was investigating a cybersecurity breach and took several of its internal communications and engineering systems offline as a precaution. Uber later that day confirmed the development with a tweet and said that it is investigating the incident:

Advertisement. Scroll to continue reading.

Why does this matter: Sam Curry, a security engineer at Yuga Labs who corresponded with the alleged hacker, told The Times that “this is a total compromise” and the hackers “pretty much have full access to Uber.” If this turns out to be true, it would be a major breach of the ride-hailing giant that provides millions of rides per day and stores sensitive customer details.


FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.


What has been compromised: According to cybersecurity experts who spoke with the alleged hacker, the breach appears to have compromised various internal systems of Uber including its Amazon Web Services and Google Cloud Platform accounts, which would give the hacker access to the company’s source code, internal email, etc. Uber’s latest update on September 16, however, said that there is no evidence of sensitive user data being compromised:

“I announce I am a hacker”: The hacker, who claims to be an 18-year-old who did it because Uber had weak security, compromised a worker’s Slack account and sent a message that read: “I announce I am a hacker and Uber has suffered a data breach.” The message also listed several internal databases that were allegedly compromised, NYT stated. The hacker also added a hashtag saying that Uber underpays its drivers. Until Uber took its Slack system offline, many in the company thought it was a joke and interacted with the message, the Washington Post reported.

Advertisement. Scroll to continue reading.

How was the hack carried out: In Uber’s case it appears that the hacker had the password of a worker in the company and then sent a push notification for multi-factor authentication to the worker’s phone, getting them to accept it by claiming to be an IT person at the company.

With this, the hacker accessed Uber’s VPN and subsequently connected with the company’s corporate intranet, allowing him access to sensitive files, one of which had an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company such as AWS and Google Cloud, The Verge explained.

Advertisement. Scroll to continue reading.

This type of hack is usually referred to as social engineering, which is defined as “the psychological manipulation of people into performing actions or divulging confidential information.” Social engineering hacks are notorious because they can be used to target companies that otherwise have strong security systems.

For a more detailed explanation of how the hack was carried out, here’s a thread by cybersecurity researcher Bill Demirkapi:

Not Uber’s first major hack: Back in October 2016, hackers stole information about 57 million driver and rider accounts and demanded $100,000 from Uber to delete the data. While Uber made the payment, it didn’t disclose the breach for more than a year.


This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.

Also Read

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Studying the 'community' supporting the late Sushant Singh Rajput (SSR) shows how Twitter was gamed through organized engagement

News

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

News

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ