Uber found out its pc community were breached Thursday, main the corporate to take a number of of its inner communications and engineering methods offline because it investigated the level of the hack.
The breach gave the impression to have compromised a lot of Uber’s inner methods, and an individual claiming duty for the hack despatched photographs of e-mail, cloud garage and code repositories to cybersecurity researchers and The New York Instances.
“They beautiful a lot have complete get right of entry to to Uber,” stated Sam Curry, a safety engineer at Yuga Labs who corresponded with the one who claimed to be accountable for the breach. “This can be a overall compromise, from what it seems like.”
An Uber spokesperson stated the corporate was once investigating the breach and contacting cops.
Uber staff have been recommended to not use the corporate’s inner messaging carrier, Slack, and located that different inner methods have been inaccessible, stated two staff, who weren’t licensed to talk publicly.
In a while earlier than the Slack machine was once taken offline Thursday afternoon, Uber staff gained a message that learn: “I announce I’m a hacker and Uber has suffered a knowledge breach.” The message went directly to checklist a number of inner databases that the hacker claimed were compromised.
The hacker compromised a employee’s Slack account and used it to ship the message, the Uber spokesperson stated. It seemed that the hacker was once later ready to achieve get right of entry to to different inner methods, posting an specific picture on an inner knowledge web page for workers.
The one that claimed duty for the hack advised the Instances that he had despatched a textual content message to an Uber employee claiming to be a company knowledge generation particular person. The employee was once persuaded at hand over a password that allowed the hacker to achieve get right of entry to to Uber’s methods, a method referred to as social engineering.
“A lot of these social engineering assaults to achieve a foothold inside tech firms had been expanding,” stated Rachel Tobac, CEO of SocialProof Safety. Tobac pointed to the 2020 hack of Twitter, during which youngsters used social engineering to damage into the corporate. An identical social engineering ways have been utilized in fresh breaches at Microsoft and Okta.
“We’re seeing that attackers are getting sensible and in addition documenting what is operating,” Tobac stated. “They’ve kits now that provide help to deploy and use those social engineering strategies. It’s grow to be virtually commoditized.”
The hacker, who supplied screenshots of inner Uber methods to show his get right of entry to, stated that he was once 18 years outdated and were running on his cybersecurity abilities for a number of years. He stated he had damaged into Uber’s methods for the reason that corporate had vulnerable safety. Within the Slack message that introduced the breach, the individual additionally stated Uber drivers must obtain upper pay.
The individual gave the impression to have get right of entry to to Uber supply code, e-mail and different inner methods, Curry stated. “It kind of feels like perhaps they’re this child who were given into Uber and doesn’t know what to do with it, and is having the time of his existence,” he stated.
In an inner e-mail that was once observed by means of the Instances, an Uber govt advised staff that the hack was once underneath investigation. “We don’t have an estimate presently as to when complete get right of entry to to equipment shall be restored, so thanks for bearing with us,” wrote Latha Maripuri, Uber’s leader knowledge safety officer.
It was once no longer the primary time {that a} hacker had stolen knowledge from Uber. In 2016, hackers stole knowledge from 57 million motive force and rider accounts, then approached Uber and demanded $100,000 to delete their replica of the information. Uber organized the fee, however stored the breach secret for greater than a 12 months.
Joe Sullivan, who was once Uber’s best safety govt on the time, was once fired for his position within the corporate’s reaction to the hack. Sullivan was once charged with obstructing justice for failing to divulge the breach to regulators and is these days on trial.
Legal professionals for Sullivan have argued that different staff have been accountable for regulatory disclosures and stated the corporate had scapegoated Sullivan.
This newsletter at first seemed in The New York Instances.
