Uber suffered a major hack on Thursday that compromised its internal network.
An 18-year-old hacker claimed responsibility for the attack by sending images of email, cloud storage and code repositories to the New York Times, which was the first newspaper to report the incident.
The hacker also bragged to a number of security researchers about the steps they took to gain access, announced it on Telegram, and posted a message on the company’s official Slack.
The message read: “Hi @here I announce I am a hacker and Uber has suffered a data breach,” listing a number of Uber databases and cloud services, and concluding with the sign-off, “uberunderpaisdrives.”
They also reportedly said that Uber drivers should receive higher pay.
In response to the attack, Uber contacted the authorities and temporarily took a number of its internal communications and engineering systems offline. Their investigations revealed that the 18-year-old hacker utilized social engineering to take over an employee’s Slack account.
These findings were confirmed by the attacker in their personal recounts of the incident, who explained that they kept sending the employee multifactor authentication login notifications for more than an hour, then contacted the same target on WhatsApp pretending to be an Uber IT person to say that the MFA notifications would stop once the target approved the login.
This method, which is known as “MFA fatigue” or an “exhaustion” attack, is the same method that was used against a number of companies of late, including Twilio and Mailchimp.
It, however, remains unclear whether the employee actually handed over any passwords to Uber’s internal systems, and how the attacker managed to get past the VPN and two-factor authentication.
Kevin Reed, CISO at cybersecurity company Acronis, explains in a LinkedIn post that the attacker also found high-privileged credentials on a network file share and used them to access everything, “including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.”
An Uber employee who respectfully asked not to be credited claims that the hacker has also gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as Uber’s HackerOne bug bounty program, which the company has since then disabled.
Uber, on the other hand, which initially called this a “cybersecurity incident”, continues to downplay the gravity of the situation, releasing a statement on Friday that read: “we have no evidence that the incident involved access to sensitive user data (like trip history),” despite the presence of screenshots that suggest otherwise.
No official reports communicate what the state of user information is after the leak, or to what extent this attack compromises the service itself or the personal safety of its users.
This is a developing story.
If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.