Updated on 2022-12-13
Uber suffered a data breach after an attacker leaked the employee email addresses, IT asset information, and corporate reports stolen from a third-party vendor, Teqtivity. Read more: Uber suffers new data breach after attack on vendor, info leaked online
Updated on 2022-12-12: Uber hacked data leaked online
The details of more than 77,000 Uber employees, along with source code, and credentials for some of the company’s internet IT network, have been leaked online on an underground cybercrime forum over the weekend. Uber confirmed the authenticity of the leaked files in a statement sent to BleepingComputer. The company blamed the leak on a breach at Teqtivity, one of its IT service providers. Teqtivity formally disclosed the breach a day later, on Thursday. Other companies that use their services may also have had their data stolen as well. This marks Uber’s second breach this year after the company was hacked by the Lapsus$ gang in September. Read more::
Updated on 2022-10-09: Former Uber CSO convicted of covering up 2016 data breach
Uber’s former chief security officer Joe Sullivan was found guilty this week of covering up a massive data breach at the ride-hailing giant in 2016, after hackers made off with information on 57 million drivers and riders. The case got a ton of attention across the CISO and CSO crowd, with some fearing that this opens up security folk to prosecution in what’s already a tough and challenging job. The Record spoke to over a dozen CISOs to survey the land. Some say Sullivan — who was fired from Uber after the breach was discovered and later appointed CSO at Cloudflare (but left citing his ongoing legal case) — was scapegoated. But it wasn’t the breach itself that was the issue — it was that Sullivan deliberately tried to hide the incident from federal investigators by making the hackers sign NDAs and paid out $100,000 in a “bug bounty” to stop the hackers from releasing the data. Sullivan will be sentenced at a later date, and faces years in prison for obstruction and misprision. Read more:
- Why I’m Joining Cloudflare
- Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records
- Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict
- The Uber Data Breach Conviction Shows Security Execs What Not to Do
- Former Uber security chief convicted for concealing a felony
- Joe Sullivan guilty in Uber hacking case
Sullivan kept in-house counsel in the dark about breach while they negotiated with FTC to close investigation of company. “did he mention there was another incident that may be relevant to FTC's investigation?” Dawson asked.
Ross answered, “No.” https://t.co/S8gOfchutS
— Kim Zetter (@KimZetter) October 6, 2022
Our story on the surprise conviction of Joe Sullivan, former security head of Uber, Cloudflare and Facebook. https://t.co/hAjMu3MsUk
— Joseph Menn (@josephmenn) October 5, 2022
Updated on 2022-10-06: Former Uber CSO Found Guilty of Obfuscating 2016 Breach
Former Uber Chief Security Officer (CSO) Joe Sullivan has been convicted on charges of obstructing justice and actively hiding a felony. While the Federal Trade Commission was investigating an earlier data breach of Uber’s system, Sullivan learned of a new breach. He arranged for the attackers to be paid a ransom through Uber’s bug bounty system.
- It is important to note that legal actions against CISOs (as with other corporate execs) is not coming from failure to avoid an attack. The ones to date have been because laws around notification or reporting have been violated. Every company should by now be far past the point where avoiding or whitewashing breach notifications is even considered.
- This keeps getting better and better. Sweeping issues under the rug or cleverly reclassifying a breach as a vulnerability disclosure are at best a fool’s errand and at worse career ending move. Aside from assuring confidentiality is maintained appropriately, keep records of disclosure decisions and leverage your legal counsel.
Read more in
- Former Uber Security Chief Found Guilty of Hiding Hack From Authorities
- Former Uber security chief convicted of covering up 2016 data breach
- Ex-Uber chief security officer convicted of covering up 2016 breach
- Former Uber CSO convicted for covering up massive 2016 data theft
An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
This one still seems to be running, so there’s likely more news coming over time. But from the sounds of it, the hacker relied on MFA fatigue, which is to say that when a normal user sees notifications over and over, they are far more likely to accidentally press the accept notification, or be tricked into doing so by the attacker (as claimed on twitter).
What you can learn from this is that anything that has a simple accept function, such as pressing any key on the phone, or simply pressing accept is not as secure as something that verifies that the user was responding to the right MFA prompt.
Updated 2022-09-25: Uber says Lapsus$ hackers to blame for breach; London police arrest suspect
Uber provided more details about its uber-breach last week, which saw a hacker boast about vast, near-limitless access to its network. In an update, Uber said the hacker compromised a Uber contractor’s account, which gave them a foothold on the company’s network. Still no details about how the hacker got access to everything from there, though. Uber said the hacker was linked to Lapsus$, the crime group that previously broke into Microsoft, Samsung, T-Mobile, and others this year. Another victim came to light, Grand Theft Auto VI-maker Rockstar Games was hacked with footage for the company’s latest game leaked online. Uber said the two hacks were linked. In both cases, the hacker socially engineered employees into turning over access, including MFA fatigue (aka MFA bombing), which relies on spamming MFA requests to a target’s phone until they eventually accept.
By the end of the week, London police charged a 17-year-old on suspicion of hacking — the same police force that nabbed (some of) Lapsus$ to begin with.
Teenager charged with breach of bail and computer misuse offences pic.twitter.com/8rQnsPblIL
— City of London Police (@CityPolice) September 24, 2022
But U.K. reporting restrictions means U.K. journalists can’t say much about them — for now.
This is very significant. But we can’t say why because of reporting restrictions…. https://t.co/Sao4gjhce4
— Joe Tidy (@joetidy) September 23, 2022
Read more in
- Uber says Lapsus$-linked hacker responsible for breach
- Uber blames Lapsus$ hacking group for security breach
- Grand Theft Auto VI footage leaked after hack, developer Rockstar confirms
- How do you stop another Uber hack?
- UK police arrest 17-year-old on suspicion of hacking
Updated 2022-09-21: Uber links hack to Lapsus$ gang
In an update to its data breach blog post, ride-hailing company Uber said the security breach uncovered over the weekend targeted one of the company’s external contractors and appears to have been carried out by an individual affiliated with the Lapsus$ hacking group. The company also confirmed that most of the second-hand analysis of the hack posted on social media by various researchers was authentic. This included:
- Purchasing Uber credentials from underground markets
- Using push notification spam to bypass MFA on the employee’s account.
- Gaining access to its G-Suite and Slack channels.
- Reconfiguring Uberis OpenDNS to display a graphic image to employees on some internal sites.
Uber said no customer data was accessed and that its services remained online during the breach. The company said it’s still investigating the incident together with law enforcement.
Updated 2022-09-21: Uber Breach
Uber Suffered a cybersecurity breach on Thursday, September 15. The company has acknowledged that an attacker was able to access internal systems, including Uber’s G Suite account and its HackerOne bug bounty dashboard.
- A lot has already been written about this incident. But let’s remember that most initial information later turns out to be wrong or incomplete. Do not make decisions about your security options based on a single, not yet completely understood, incident.
- While the Uber contractor’s account was protected by 2FA, the repeated login authorization prompts ultimately succeeded in an approval from the contractor. As tempting as it is to approve to “make it stop” it’s important to educate users to contact the security team when receiving unexpected or frequent access approval messages to ensure they are legitimate or that malfeasance is tracked. Note that Uber has taken several steps including not only re-authenticating their employee access to related tools, but also implementing stronger MFA authentication to mitigate the risks of recurrence. Uber reviewed their VDP dashboard and, at the time of the attack, no unmitigated vulnerabilities were listed. No sensitive data appears to have been accessed. Note that Uber encrypts sensitive data such as credit cards and personal health data.
- A primary driver of this breach was stolen credentials, to include tricking an employee into approving a MFA request. While MFA can dramatically reduce the risk of password attacks, the problem is we have made MFA both confusing (there are multiple different implementations) and requiring different types / levels of human interaction. This is why I’m so excited about Apple’s new FIDO Passkey deployment in the latest iOS / MacOS: it takes the entire authentication process away from people and simplifies it through biometrics.
Read more in
- Uber Newsroom > Security update
- Uber Confirms Hacker Accessed Internal Tools, Bug Bounty Dashboard
- Uber links breach to Lapsus$ group, blames contractor for hack
- Uber explains how it was pwned this month, points finger at Lapsus$ gang
- Uber confirms hack in the latest access and identity nightmare for corporate America
While Uber is still looking into its recent security breach, the company posted a formal update on its investigation and said that based on current evidence, there is no indication that the intruder—believed to be a teenager—gained access to any sensitive user data (like trip history). The company said that all its services, like Uber, Uber Eats, Uber Freight, and the Uber Driver app, are fully operational.
Uber got all the way hacked, supposedly by an 18-year-old who shared his activities with multiple security researchers. It started by phishing an employee’s 2FA code by pretending to be IT, and from there he got VPN access, access to Slack, a file share containing scripts with hardcoded creds, AWS, GSuite, VSphere, Duo, OneLogin, and…well…basically everything. Including its HackerOne program, which had all its previous vulnerability reports. It’s easy to poke fun at a big company being owned this bad by a teenager, but the truth is most companies are just as vulnerable. Passwordless (FIDO2, etc.) won’t solve everything, but it can’t come fast enough.
Uber said on Monday a hacker affiliated with Lapsus$ hacking group was responsible for a cyber-attack that forced the company to shut down several internal communications temporarily last week. Read more: Uber says Lapsus$-linked hacker responsible for breach
Uber was hacked, and it looks bad — “screenshots of sensitive internal dashboards posted on the internet”-style bad. Uber hasn’t said much about the hack, only that it was “responding to a cybersecurity incident.” It’s not clear if this is a data breach, but the hacker’s access appeared broad and extensive, gaining access to AWS and Google cloud dashboards (where Uber stores customer data), Uber’s Slack (where the hacker announced the breach — no less), and its HackerOne account (which it uses for bug bounties and remediating serious vulnerabilities).
When the individual breached Uber, they sent a slack notification to everyone informing them the company had been breached.
Employees thought it was a joke.
Photo via @ColtonSeal pic.twitter.com/tTTdPCTdV4
— vx-underground (@vxunderground) September 16, 2022
The hacker, who claims to be an 18-year-old, according to several security researchers who spoke with them, basically got the keys to Uber’s kingdom by spamming MFA prompts until an employee accepted.
Apparently there was an internal network share that contained powershell scripts…
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW
— Corben Leo (@hacker_) September 16, 2022
It’s a fast-paced incident, so expect more to come in the next few days. As usual in cases like this, @billdemirkapi has an excellent thread on what went down, and Ars Technica has a timeline and a deeper dive.
The scope of this attack demonstrates another problem with centralizing authentication. It can often be a single point of failure that can give attackers a wide variety of access, as we've seen in this example. USE PHISHING RESISTANT MFA!! Stop making it easy for attackers. 12/N
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
Read more in
- Serious breach at Uber spotlights hacker social deception
- The Uber Hack’s Devastation Is Just Starting to Reveal Itself
- Uber Investigating Breach of Its Computer Systems
- Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known
If phishing a single employee can lead to everything in your infrastructure being compromised that easily, that employee is not to blame
— Ian Coldwater (@IanColdwater) September 16, 2022