Uber confirms ‘cybersecurity incident’ after 18-year-old man claims involvement in massive hack
What happened now? Uber is investigating a cybersecurity incident that compromised many of its internal systems, giving the 18-year-old hacker almost full access to the company’s network. The breach is considered as serious or even worse than the 2016 incident, when data on 57 million customers were exposed.
The newspaper “New York Times reports that the hacker used a common social engineering technique to access Uber’s systems. He sent a text message to one of the taxi giant’s employees, claiming he was a corporate IT professional. The worker was persuaded to hand over his password, giving the perpetrator access to the Uber network.
The hacker provided the NYT with screenshots of Uber’s internal systems as proof of his successful attack. He told the publication that he is 18 and has been working on his cybersecurity skills for several years, adding that Uber’s weak security prompted him to compromise its network.
After gaining access, the hacker sent a message to employees on Slack stating: “I announce that I am a hacker and Uber has had a data breach.” It lists several compromised databases and appears to call for higher wages for Uber drivers. Earlier today, Uber shut down its internal Slack and engineering systems while investigating the leak.
Sam Curry, a security engineer at Yuga Labs who corresponded with the hacker, said the man has full administrative access to Amazon’s Uber web services and Google Cloud services. “It looks like this is a kid who got into Uber and doesn’t know what to do with it and is spending time in his life,” Curry said.
In an official statement, Uber wrote: “We are currently responding to a cyber security incident. We are in contact with law enforcement and will post additional updates here as they become available.”
Apart from his age, little is known about the hacker, although he is presumed to be British; The employee said he used the word “wank” and he could use the username “teapots2022”. He also accessed an Uber account to search for HackerOne vulnerabilities and left comments on several reports.
From an Uber employee:
Feel free to share, but please don’t believe me: At Uber, we received an “URGENT” email from IT Security saying we should stop using Slack. Now every time I request a website, I get to an REDACTED page with a pornographic image and the message “F*** you wankers”.
— Sam Curry (@samwcyo) September 16, 2022
According to Acronis Chief Information Security Officer Kevin Reid, the hacker gained access to production systems, the corporate EDR (endpoint detection and response) console, and the Uber Slack management interface. It’s still unclear how he bypassed 2FA after stealing the Uber employee’s password, and we still don’t know if the customer’s information was accessed.
The breach has been compared to a 2016 incident in which the names, email addresses and phone numbers of 50 million Uber customers were stolen, along with the personal details of 7 million drivers. Uber paid the responsible hackers $100,000 to remove the data and prevent the incident from becoming public and covered up the leak for over a year. The company had to pay $148 million in damages for the hack and refusal to disclose what happened.