‘Awful’ and ‘Weak’ security: What did the massive breach at Uber reveal?

• Uber was hacked last week and a person claiming responsibility for the breach sent images of email, cloud storage and code repositories to prove his access.
• The hacker compromised a worker’s Slack account and used it to message employees.

In 2016, Uber suffered a massive data breach – a hacker stole the data of 57 million drivers and riders, approached the ride-hailing giant and demanded US$100,000 in ransom to delete their copy of the trove of information stolen. Uber actually made the payment but kept the breach a secret for more than a year. Six years later, another data breach has befallen Uber and this time, the breach was made public almost immediately.

The hack that occurred last week involved the e-hailing giant’s internal communications and engineering systems, leaving them offline while investigations took place. In a report by The New York Times (NYT), Yuga Lab’s security engineer Sam Curry who corresponded with the person who claimed to be responsible for the breach, said, “They pretty much have full access to Uber. This is a total compromise, from what it looks like.”

For context, the person who claimed responsibility for the hack sent NYT and other cybersecurity researchers, images of email, cloud storage and code repositories from Uber. Apparently, Uber employees were instructed not to use the company’s internal Slack, and they found that other internal systems were also inaccessible. Uber also took itself to Twitter to share that it was “responding to a cybersecurity incident.”

@Uber Uber has been hacked. @Hacker0x01 pic.twitter.com/ltwjZdzFfV

— terrydavis_is_god (@praise_terryd) September 16, 2022

 “We have no evidence that the incident involved access to sensitive user data (like trip history),” the company wrote in a statement following the incident. Based on an internal outage report last Thursday, riders and food delivery customers had been unable to request rides or place orders in locations including Atlanta, Ga. and Brisbane, Australia, though Uber later said the issue was “mitigated.”

Separately, in an internal email that was seen by NYT, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Uber’s chief information security officer, Latha Maripuri.

A well planned social engineering breach against Uber

The person who claimed responsibility for the hack told NYT that he had sent a text message to an Uber worker claiming to be a member of corporate IT. The worker was  then persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems – a textbook example of social engineering.

Once the hacker compromised a worker’s Slack account and used it to send the message, he appeared to have been able to gain access to other internal systems, posting an explicit photo on an internal information page for employees. It got more interesting when the hacker said that he was 18 years old and had been working on his cybersecurity skills for several years. 

Honestly kind of a classy way to hack someone 😂😂😂@Uber pic.twitter.com/fFUA5xb3wv

— Colton (@ColtonSeal) September 16, 2022

 

He even said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay. The hacker appeared to have access to Uber source code, email and other internal systems, Curry told NYT. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he added.

On top of all that, the hacker also posted as Uber on a chat forum at HackerOne, which runs interference between researchers who are reporting security vulnerabilities and the companies that are affected. Uber and other companies use that service to manage reports of security flaws in its systems and to reward researchers who find them.

That chat, viewed by The Washington Post, shows that the alleged hacker even claimed access to Uber’s Amazon Web Services account. In a subsequent interview on a messaging app, the alleged hacker told The Post that they had breached the company for fun and might leak source code “in a few months.” The person described Uber security as “awful.”

When asked about any concern of arrest, the alleged hacker told The Post via a Telegram account they were not worried because they lived outside the United States. Another researcher, Corbin Leo, who chatted with the hacker online said “It was really bad the access he had. It’s awful,” [sic] according to NPR’s report.

Screenshots published by the intruder showed he had gained access to systems hosted on Amazon and Google cloud-based servers where Uber stores source code, financial data and customer data such as drivers’ licenses. To put into context how severe that is, Leo, a researcher and head of business development at the security company Zellic said, “If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords.”

Uber resumes with no sensitive data leaked – claim

One day after the alleged hack on Friday, Uber said that all its services were operational with no evidence the hacker got access to sensitive user data. In a statement posted online, Uber noted that “internal software tools that we took down as a precaution yesterday are coming back online.” It said that all its services — including Uber Eats and Uber Freight — were operational once again.

In the 2016 breach involving Uber’s 57 million riders and drivers, the two hackers stole phone numbers, email addresses and names from a third-party server before demanding their demanded US$100,000 bounty. Uber responded by contacting the hackers, paid up and got signed nondisclosure agreements, according to the people familiar with the matter. 

To conceal the reputational damage, Uber executives made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their systems and pay out for found vulnerabilities. What is left to be seen now is the severity of the hack this time around, although as of now, no ‘sensitive data’ has been leaked, according to Uber. Ultimately, time will tell.

**Update: Uber links breach to Lapsus$ Group

Earlier today, Uber in a blog post, blamed the Lapsus$ extortion group for last week’s breach. “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” it said.

The hacking group allegedly gained access to several internal Uber systems after stealing a third-party contractor’s credentials and then convincing the contractor to approve a two-factor authentication request. The findings, according to Uber, are based on close coordination with the FBI and US Justice Department. To recall,  Lapsus$ extortion group is known for breaching other high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta.

Though the attackers have accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn’t appear that the attackers accessed any customer or user data stored by its cloud providers. 

“The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact. While the investigation is still ongoing, we do have some details of our current findings that we can share,” Uber noted.