You read that right, Uber has been hacked. Reportedly over 1.11 petabytes worth of data could be leaked. At the time of writing the company is still working on fixing it. So how did the Uber hack happen and what does it mean for you?
Well, imagine someone messaged you on Slack claiming that your company has been hacked. You probably wouldn’t give it much thought about its authenticity right? In fact, you might even assume it to be an ill-attempted prank. That’s precisely what happened to Uber employees on Thursday. Employees were first alerted of the alleged hacker when a message read “I announce I am a hacker and Uber has suffered a data breach.” However, employees responded to the message and continued to interact with the hacker assuming it was a joke. It was only later that the company’s Slack along with several other internal systems was forced to be taken offline.
A teenage dream
The alleged hacker claims to be an 18-year-old, now suspected to be part of the Lapsus$ hacking group, who had social engineered his way to gain access to the company VPN and scan Uber’s intranet. The intranet had PowerShell scripts with admin credentials. This allowed the hacker to gain entry to Uber’s AWS, HackerOne, Google Workplace, and other data including the source code.
Meanwhile, Uber says that it suspects the attacker purchased an Uber EXT contractor’s corporate password via the dark web. The attacker had tried to log in repeatedly where the contractor would receive multiple 2FA approval requests. One of these requests was eventually accepted by the contractor which gave access to the attacker. This was how the company believed the attacker gained entry into its internal tools.
Simply put, a malicious actor got an Uber employee’s credentials to gain access to the company systems.
In any case, if the screenshots are to be believed there’s at least 1.11PB of data, though it’s still unclear if any of this data has been leaked yet. But security experts reckon that the incident is a “total compromise” and that “they pretty much have full access to Uber.”
A couple of days after going public about the Uber hack, the company has detailed specifics on the incident. In terms of impact, Uber claims it hasn’t found evidence that the attacker accessed its production systems, user accounts, or the databases used to store sensitive user information. The company also states that it encrypts credit card information and personal health data.
Uber goes on to mention that so far the attacker,
- Appears to haven’t made any changes to the codebase or accessed customer/user data stored by third-party cloud providers
- Has downloaded internal Slack messages and (or accessed) information from an internal finance tool
- Has accessed the HackerOne dashboard, where bugs and vulnerabilities are reported. Though “any bug reports the attacker was able to access have been remediated,” says the company
What Uber is doing
The tech giant has specified several actions taken following the hack, ranging from locking down its codebase to rotating keys. In its latest update, Uber has stated its working with leading digital forensics as part of the investigation.
“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks,” the company emphasized further. Now it appears Uber is already looking to upgrade its cybersecurity arm in a massive capacity, at least judging by the recent job openings.
Interestingly, Uber hasn’t informed users to make any changes like putting up a new password. Furthermore, despite the ongoing security incident, its services appear to operate as usual. Either way, in case you haven’t done so already, we recommend a password change and enabling Two Factor Authentication (check settings). Ideally, you could even request your bank to change your card details if possible. Though that might turn extremely tedious.
This isn’t the first Uber hack
Perhaps unsurprisingly this isn’t the first time Uber got hacked. Back in 2016, a massive cyberattack exposed data of 57 million drivers and riders. The company recently admitted that it covered up the hack to avoid criminal prosecution, as part of a settlement with the US Department of Justice.
At the time, the hackers used stolen credentials and found their way to accessing and copying large amounts of data. They later approached Uber demanding USD 100,000 payment to delete the copied data. The tech giant had allegedly complied but kept the incident hush. Then Chief Security Officer Joe Sullivan was fired following the incident due to his role in response to the attack.
As details continue to emerge on the Uber hack, the scale and severity of the attack seem all the more damning. Though it may be a while until the full story comes out. Meanwhile, Uber Sri Lanka is yet to comment on the security incident, despite the attack’s reach and its potential implications for all users.
[Update 19/09/2022]: Uber has shared an update on its investigations on its site.
[Update 20/09/2022]: Updated article to reflect Uber’s latest findings
GIPHY App Key not set. Please check settings