What just happened? Uber is investigating a cybersecurity incident that has compromised many of its internal systems, giving the hacker, who says he is just 18 years old, almost complete access to the company’s network. The breach is thought to be as bad as or worse than the 2016 incident that exposed the details of 57 million customers.
The New York Times reports that the hacker used a common social engineering technique to access Uber’s systems. He sent a text message to one of the ride-hailing giant’s employees claiming to be a corporate IT person. The worker was persuaded to hand over their password, granting the perpetrator access to Uber’s network.
The hacker provided screenshots of Uber’s internal systems to the NYT as proof of his successful attack. He told the publication that he is 18 years old and had been working on his cybersecurity skills for several years, adding that Uber’s weak security prompted him to compromise its network.
Once he had access, the hacker sent a Slack message to employees that read: “I announce I am a hacker and Uber has suffered a data breach.” It listed several compromised databases and appeared to call for Uber drivers to receive higher pay. Uber took its internal Slack and engineering systems offline earlier today as it investigated the breach.
Sam Curry, a security engineer at Yuga Labs who corresponded with the hacker, said the person has full admin access to Uber’s Amazon Web Services and Google Cloud services. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” Curry said.
In an official statement, Uber wrote: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
Besides his age, little is known about the hacker, though it’s speculated that he is British; an employee said he used the word “wankers,” and he may go by the username ‘teapots2022.’ He also accessed Uber’s HackerOne vulnerability bug bounty account and left comments on several report tickets.
From an Uber employee:
Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
— Sam Curry (@samwcyo) September 16, 2022
According to Acronis’ CISO Kevin Reed, the hacker accessed production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. It’s still unclear how he bypassed the 2FA after stealing the Uber employee’s password, and we still don’t know if customer information has been accessed.
The breach is being compared to the 2016 incident in which the names, email addresses, and phone numbers of 50 million Uber customers, along with the personal details of 7 million drivers, were stolen. Uber paid the hackers responsible $100,000 to delete the data and stop the incident from becoming public knowledge, and it concealed the breach for over a year. The company had to pay a $148 million settlement for the hack and its failure to disclose what happened.