On Thursday, September 15, Uber
"We're working with several leading digital forensics firms as part of the investigation," Uber wrote on its security dashboard on Monday. "We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks."
According to Uber, the hacker is affiliated with the hacking group Lapsus$ which the company says has already breached Microsoft
Uber says the hacker gained access to "several internal systems" by purchasing an Uber contractor's password on the dark web. The password and credentials were exposed by a malware attack on the contractor's personal device, the company says.
The hacker attempted to log into the account but was stopped by two-factor authentication, but the contractor reportedly eventually accepted one of the two-factor requests after a flurry of attempts. According to some reporting, the hacker posed as another employee to trick the contractor into accepting the request.
"From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack," Uber's report reads. "The attacker then... reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites."
The hacker, who told the researchers that they were 18 years old, took to Uber's Slack channel to "announce" the hack and list the data they had stolen, including "secrets from sneakers". They finished their message with a hashtag reading, "uberunderpaisdrives". Many Uber employees in the channel apparently thought the message was a joke, responding with dozens of laughing and popcorn emojis.
Uber says that it quickly shut down access to all relevant accounts and tools and that an investigation into the incident is ongoing. Importantly, the company says that no "sensitive user information, like credit card numbers, user bank account info, or trip history" was exposed.
However, the hacker has reportedly shared screenshots that suggest they gained access to the company's cloud-based system which stores users' financial data and other sensitive information. Based on screenshots that have been shared widely online, they were able to access the most sensitive internal systems at Uber.
"It was really bad the access he had. It's awful," said Corbin Leo, a researcher with Zellic security who claims to have spoken with the hacker. "If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people's passwords."
Despite gaining access, Leo and another researcher who contacted the hacker, Sam Curry at Yuga Labs, say that the hack was more about gaining publicity than stealing data. The hacker reportedly didn't tell the researchers how much data had been copied, if any, but did provide proof they had access the data.
"This is a total compromise, from what it looks like," Curry said. "It seems like maybe they're this kid who got into Uber and doesn't know what to do with it, and is having the time of his life."
"My gut feeling is that it seems like they are out to get as much attention as possible," Curry added.
This isn't the first time Uber has suffered a major hack. Currently, former Uber chief of security, Joseph Sullivan, is facing charges for allegedly paying $100,000 to hackers to cover up a cyber heist they committed in 2016. In that hack, the information for roughly 57 million users was stolen. For his part, Sullivan's representation says that he's being scapegoated by the company for a more widespread issue.
