On Thursday, Uber found out that its computer network had been hacked, which prompted the firm to take down some of its internal communications and engineering systems while it examined the scope of the intrusion.
A significant number of Uber’s internal systems looked to have been hacked as a result of the attack, and the individual who claimed responsibility for the hack shared photos of email, cloud storage, and code repositories to cybersecurity experts and The New York Times.
Sam Curry, a security engineer at Yuga Labs who spoke with the individual who claimed to be responsible for the hack, said that “They pretty much have full access to Uber.” “From what I can see, this is a complete concession on all sides.”
A spokeswoman for Uber said that the firm was looking into the security issue and was in touch with law enforcement authorities.
According to two employees who were not permitted to talk publicly about the matter, Uber workers were given the instruction not to use the company’s internal messaging programme, which is called Slack, and discovered that other internal services were unavailable.
Employees at Uber got a message on Thursday afternoon that said, “I declare I am a hacker and Uber has suffered a data breach just before the Slack system was taken down.” The letter continued on to detail numerous other internal databases, all of which the hacker claimed to have been breached in some way.
According to a spokeswoman for Uber, a hacker gained access to one of the company’s employees’ Slack accounts and used it to deliver the message. It appears that the hacker was subsequently able to obtain access to additional internal systems, as shown by the fact that they posted a sexually explicit picture on a page that is accessible to staff only internally.
The individual who has taken responsibility for the breach has informed The New York Times that he deceived an Uber employee by sending them a text message in which he claimed to work in the company’s information technology department. By using a strategy that is known as social engineering, the hacker was able to convince the employee to give up a password, which then enabled them to get access to Uber’s servers.
According to Rachel Tobac, chief executive of SocialProof Security, “these kinds of social engineering assaults to get a foothold inside IT organisations have been expanding.” Companies that specialise in information technology are becoming the target of such attacks. Ms. Tobac cited the breach of Twitter that occurred in the year 2020, in which young people gained access to the corporation using social engineering. Recent hacks at Microsoft and Okta also included the use of social engineering tactics that were comparable.
Ms. Tobac said that “We are noticing that attackers are growing smarter and are also recording what is working.” They now have kits that make it simpler to deploy and employ these techniques of social engineering, and these kits can be purchased online. It has reached the point where it is nearly a commodity.
The hacker, who demonstrated his access by providing images of internal Uber systems, said that he was 18 years old and had been working on his cybersecurity abilities for many years. He gave the pictures to show his access. He claimed that he had gained access to Uber’s computers due to the company’s lax security measures. Additionally, the individual suggested that Uber drivers should be paid more in the Slack message that was sent to notify the data incident.
According to Mr. Curry, the individual seemed to have access to the source code of Uber as well as email and other internal systems. “It seems like maybe they’re this child who got into Uber and doesn’t know what to do with it.”
An senior from Uber disclosed to staff, through an internal email that was obtained by The New York Times, that the company was looking into the hacking incident. According to a message sent out by Uber’s chief information security officer Latha Maripuri to customers.
It was not the first time a hacker had taken data from Uber; in fact, it was one of many times. In 2016, hackers gained access to 57 million driver and passenger accounts and stole information from those accounts. The hackers then contacted Uber and wanted $100,000 to remove their copy of the data. Uber arranged for the money, but for almost a year, they remained silent about the security lapse.
Because of his part in the company’s reaction to the attack, Joe Sullivan, who had been Uber’s senior security officer at the time, was terminated from his position. Because Mr. Sullivan did not report the breach to the appropriate authorities, he is being prosecuted for obstructing justice, and the trial is presently underway.
Attorneys for Mr. Sullivan have contended that other workers at the corporation were responsible for regulatory filings and that the company is using Mr. Sullivan as a scapegoat.