97 with 75 posters participating
Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which broke the story.
It didn’t take long for independent researchers, including Bill Demirkapi, to confirm The New York Times coverage and conclude that the intruder likely gained initial access by contacting an Uber employee over WhatsApp.
The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we’ve seen so far 👉 1/N
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
After successfully obtaining the employee’s account password, the hacker tricked the employee into approving a push notification for multifactor authentication. The intruder then uncovered administrative credentials that gave access to some of Uber’s crown-jewel network resources. Uber responded by shutting down parts of its internal network while it investigates the extent of the breach.
It’s not yet clear precisely what data the hacker had access to or what other actions the hacker took. Uber stores a dizzying array of data on its users, so it’s possible private addresses and the hourly comings and goings of hundreds of millions of people were accessible or accessed.
Here’s what’s known so far.
How did the hacker get in?
According to the NYT, the above-linked tweet thread from Demirkapi, and other researchers, the hacker socially engineered an Uber employee after somehow discovering the employee’s WhatsApp number. In direct messages, the intruder instructed the employee to log in to a fake Uber site, which quickly grabbed the entered credentials in real time and used them to log in to the genuine Uber site.
What happened next?
The attacker reportedly sent company-wide texts on Uber Slack channels, announcing the feat.
“I announce I am a hacker and Uber has suffered a data breach,” one message read, according to the NYT. Screenshots provided evidence that the individual had access to assets, including Uber’s Amazon Web Services and G Suite accounts and code repositories.
It remains unclear what other data the hacker had access to and whether the hacker copied or shared any of it with the world at large. Uber on Friday updated its disclosure page to say: “We have no evidence that the incident involved access to sensitive user data (like trip history).”
What do we know about the hacker?
Not much. The person claims to be 18 years old and took to Uber Slack channels to complain that Uber drivers are underpaid. This, and the fact that the intruder took no steps to conceal the breach, suggest that the breach is likely not motivated by financial gain from ransomware, extortion, or espionage. The identity of the individual remains unknown so far.
What is Uber doing now?
The company acknowledged the breach and is investigating.
September 16, 2022