“We have no evidence that the incident involved access to sensitive user data. All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational”, according to Uber’s Security Update.
All the services provided by the company are active and the company has notified law enforcement. Previously, the company did not disclose particulars about the attack, and experts believe that it doesn’t have clear idea about the depth of the incident.
Uber confirmed that it notified law enforcement and started an internal investigation into the incident.
The New York Times first reported on the breach mention, using ‘Social Engineering’ techniques, the worker was convinced to give away a password that allowed the hacker to gain access to Uber’s systems.
Before the Slack system was taken offline, Uber employees received a message stating, “I announce I am a hacker and Uber has suffered a data breach.”
The company take some of its internal communications and engineering systems ‘offline’ to mitigate the attack and investigate the intrusion. Additionally, the attackers had access to the company’s HackerOne bug bounty program, which means that they had access to every bug report submitted to the company by white hat hackers.
The Breach Allegedly Involved an 18-Year-Old Teenager
An 18 year old hacker who was working on his cybersecurity skills for several years, sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.
He added saying that Uber had weak security, in the message sent via Slack he also said Uber drivers should receive higher pay. It is also said that the hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publishing the stolen data.
“No evidence could mean the attacker did have access, Uber just hasn’t found evidence that the attacker used that access for ‘sensitive’ user data”, security researcher Bill Demirkapi said. “Explicitly saying ‘sensitive’ user data rather than user data overall is also weird.”
Uber says “Internal software tools that we took down as a precaution yesterday are coming back online this morning”. The company promised to post any additional updates as soon as possible.
“Once again, we see that a company’s security is only as good as their most vulnerable employees”.
“We need to think beyond generic training, instead let’s pair our riskiest employees with more specific protective controls. As long as we continue to address cybersecurity as solely a technical challenge, we will continue to lose this battle,” Masha Sedova, co-founder and president of Elevate Security.
“MFA providers should by default automatically lock accounts out temporarily when too many prompts are sent in a short period of time,” Demirkapi said.
Previous Coverage: Uber Hacked – Attackers Gained Full Access to Company’s Critical IT Systems