Update (20 September, 9:00 am): Uber published a more detailed report on September 19 of the incident, highlighting what happened, what steps the company took, the impact on customers, and who is responsible for the breach.
What happened: On September 15, New York Times reported that Uber was investigating a cybersecurity breach and took several of its internal communications and engineering systems offline as a precaution. Uber later that day confirmed the development with a tweet and said that it is investigating the incident:
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
Why does this matter: Sam Curry, a security engineer at Yuga Labs who corresponded with the alleged hacker, told The Times that “this is a total compromise” and the hackers “pretty much have full access to Uber.” If this turns out to be true, it would be a major breach of the ride-hailing giant that provides millions of rides per day and stores sensitive customer details.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What has been compromised: According to cybersecurity experts who spoke with the alleged hacker, the breach appears to have compromised various internal systems of Uber including its Amazon Web Services and Google Cloud Platform accounts, which would give the hacker access to the company’s source code, internal email, etc. Uber’s latest update on September 16, however, said that there is no evidence of sensitive user data being compromised:
— Uber Comms (@Uber_Comms) September 16, 2022
“I announce I am a hacker”: The hacker, who claims to be an 18-year-old who did it because Uber had weak security, compromised a worker’s Slack account and sent a message that read: “I announce I am a hacker and Uber has suffered a data breach.” The message also listed several internal databases that were allegedly compromised, NYT stated. The hacker also added a hashtag saying that Uber underpays its drivers. Until Uber took its Slack system offline, many in the company thought it was a joke and interacted with the message, the Washington Post reported.
— Colton (@ColtonSeal) September 16, 2022
How was the hack carried out: In Uber’s case it appears that the hacker had the password of a worker in the company and then sent a push notification for multi-factor authentication to the worker’s phone, getting them to accept it by claiming to be an IT person at the company.
With this, the hacker accessed Uber’s VPN and subsequently connected with the company’s corporate intranet, allowing him access to sensitive files, one of which had an admin password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company such as AWS and Google Cloud, The Verge explained.
Apparently there was an internal network share that contained powershell scripts…
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW
— Corben Leo (@hacker_) September 16, 2022
This type of hack is usually referred to as social engineering, which is defined as “the psychological manipulation of people into performing actions or divulging confidential information.” Social engineering hacks are notorious because they can be used to target companies that otherwise have strong security systems.
For a more detailed explanation of how the hack was carried out, here’s a thread by cybersecurity researcher Bill Demirkapi:
Let's talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber's corporate infrastructure. Uber appears to use push notification MFA (Duo) for their employees. How can an attacker get around MFA? 2/N pic.twitter.com/IVR009timm
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
Not Uber’s first major hack: Back in October 2016, hackers stole information about 57 million driver and rider accounts and demanded $100,000 from Uber to delete the data. While Uber made the payment, it didn’t disclose the breach for more than a year.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Exclusive: How A Hacker Used Social Engineering To Target A Newslaundry Journalist On Instagram And What Happened After
- India Asks Cab Aggregators Like Ola, Uber To Adopt Self-Regulatory Measures
- 80GB Of NATO Data Allegedly Being Sold For 15 Bitcoins Online, Alliance Denies Network Compromise
- MP Karti Chidambaram Seeks Urgent Probe Into Alleged EPFO Data Leak Of 28 Crore Pensioners