An Uber sign is displayed at the company’s headquarters in San Francisco on Monday.
Jeff Chiu / AP
hide captions
switch captions
Jeff Chiu / AP
An Uber sign is displayed at the company’s headquarters in San Francisco on Monday.
Jeff Chiu / AP
Ride-hailing service Uber said on Friday that all of its services are operating under what security experts call a major data breach. It said there was no evidence that hackers had access to sensitive user data.
It looks like a lone hacker announced the breach on Thursday after apparently tricking an Uber employee into providing login credentials.
Screenshots the hacker shared with security researchers show that the person has full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It’s not clear how much data the hackers stole or how long they were in Uber’s network. Two researchers spoke directly to one person – who claimed to be 18 years old with one of them – who said they appeared interested in going public. There is no indication that they destroyed the data.
But files shared with researchers and posted widely on Twitter and other social media show that hackers were able to gain access to Uber’s most important internal systems.
“It’s terrible that he has access. It’s terrible,” said Corbin Leo, one of the researchers who chatted with the hacker online.
He said the screenshots this person shared showed the intruder had access to systems hosted on Amazon and Google’s cloud-based servers, where Uber kept source code and data. financial and customer data such as driver’s license.
“If he has the key to the kingdom, he can start discontinuing the service. He can delete the content,” said Leo, researcher and head of business development for security firm Zellic. . He can download customer data, change people’s passwords.”
Screenshots the hacker shared – many of which found their way online – show they had access to sensitive financial data and internal databases. Among them was a hacker who reported a breach on Uber’s internal Slack collaboration ssytem.
Sam Curry, an engineer with Yuga Labs who also contacted the hacker, said there is no indication that the hacker has done any damage or is interested in anything more than going public. “My gut feeling is that it looks like they’re out there getting as much attention as possible.”
Curry said he spoke to several Uber employees on Thursday who said they were “working to lock things down internally” to limit hackers’ access. That includes the San Francisco company’s Slack network, he said.
In a statement posted online on Friday, Uber said “internal software tools that we took down as a precaution yesterday will be back online.”
It said all of its services – including Uber Eats and Uber Freight – were up and running.
The company did not respond to questions from the Associated Press including about whether hackers had access to customer data and whether that data was stored encrypted. The company said there was no evidence that the intruder had access to “sensitive user data” such as trip history.
Curry and Leo said the hacker did not say how much data was copied. Uber did not recommend any specific actions to its users, such as changing passwords.
Hackers alerted researchers to Thursday’s breach using an internal Uber account on the company’s network used to post vulnerabilities identified through its bug bounty program, pay ethical hackers to find network weaknesses.
After commenting on those posts, the hacker provided the Telegram account address. Curry and the other researchers then engaged them in a separate conversation, where the intruder provided screenshots of various pages from Uber’s cloud providers to prove they were hacked. Intrusion.
AP tried to contact the hacker at the Telegram account, but received no response.
The screenshot posted on Twitter seems to confirm what the researchers said the hacker claimed: That they gained privileged access to Uber’s most important systems through social engineering. festival. Effectively, the hacker discovered an Uber employee’s password. Then, posing as a colleague, the hacker attacks the employee with a text message asking them to confirm that they are logged into their account. Finally, the employee saved and provided the two-factor authentication code that the hacker used to log in.
Social engineering is a popular attack strategy, as humans tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter, and it was recently used in attacks by tech companies Twilio and Cloudflare.
Uber has been hacked before.
Its former chief of security, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers $100,000 to cover up a 2016 high-tech theft in which the personal information of some 57 Millions of customers and drivers were stolen.
