Skip to Content

Uber investigating breach of computer systems

Updated 2022-09-26

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

This one still seems to be running, so there’s likely more news coming over time. But from the sounds of it, the hacker relied on MFA fatigue, which is to say that when a normal user sees notifications over and over, they are far more likely to accidentally press the accept notification, or be tricked into doing so by the attacker (as claimed on twitter).

What you can learn from this is that anything that has a simple accept function, such as pressing any key on the phone, or simply pressing accept is not as secure as something that verifies that the user was responding to the right MFA prompt.

Updated 2022-09-25: Uber says Lapsus$ hackers to blame for breach; London police arrest suspect

Uber provided more details about its uber-breach last week, which saw a hacker boast about vast, near-limitless access to its network. In an update, Uber said the hacker compromised a Uber contractor’s account, which gave them a foothold on the company’s network. Still no details about how the hacker got access to everything from there, though. Uber said the hacker was linked to Lapsus$, the crime group that previously broke into Microsoft, Samsung, T-Mobile, and others this year. Another victim came to light, Grand Theft Auto VI-maker Rockstar Games was hacked with footage for the company’s latest game leaked online. Uber said the two hacks were linked. In both cases, the hacker socially engineered employees into turning over access, including MFA fatigue (aka MFA bombing), which relies on spamming MFA requests to a target’s phone until they eventually accept.

By the end of the week, London police charged a 17-year-old on suspicion of hacking — the same police force that nabbed (some of) Lapsus$ to begin with.

But U.K. reporting restrictions means U.K. journalists can’t say much about them — for now.


Updated 2022-09-21: Uber links hack to Lapsus$ gang

In an update to its data breach blog post, ride-hailing company Uber said the security breach uncovered over the weekend targeted one of the company’s external contractors and appears to have been carried out by an individual affiliated with the Lapsus$ hacking group. The company also confirmed that most of the second-hand analysis of the hack posted on social media by various researchers was authentic. This included:

  • Purchasing Uber credentials from underground markets
  • Using push notification spam to bypass MFA on the employee’s account.
  • Gaining access to its G-Suite and Slack channels.
  • Reconfiguring Uberis OpenDNS to display a graphic image to employees on some internal sites.

Uber said no customer data was accessed and that its services remained online during the breach. The company said it’s still investigating the incident together with law enforcement.

Updated 2022-09-21: Uber Breach

Uber Suffered a cybersecurity breach on Thursday, September 15. The company has acknowledged that an attacker was able to access internal systems, including Uber’s G Suite account and its HackerOne bug bounty dashboard.

  • A lot has already been written about this incident. But let’s remember that most initial information later turns out to be wrong or incomplete. Do not make decisions about your security options based on a single, not yet completely understood, incident.
  • While the Uber contractor’s account was protected by 2FA, the repeated login authorization prompts ultimately succeeded in an approval from the contractor. As tempting as it is to approve to “make it stop” it’s important to educate users to contact the security team when receiving unexpected or frequent access approval messages to ensure they are legitimate or that malfeasance is tracked. Note that Uber has taken several steps including not only re-authenticating their employee access to related tools, but also implementing stronger MFA authentication to mitigate the risks of recurrence. Uber reviewed their VDP dashboard and, at the time of the attack, no unmitigated vulnerabilities were listed. No sensitive data appears to have been accessed. Note that Uber encrypts sensitive data such as credit cards and personal health data.
  • A primary driver of this breach was stolen credentials, to include tricking an employee into approving a MFA request. While MFA can dramatically reduce the risk of password attacks, the problem is we have made MFA both confusing (there are multiple different implementations) and requiring different types / levels of human interaction. This is why I’m so excited about Apple’s new FIDO Passkey deployment in the latest iOS / MacOS: it takes the entire authentication process away from people and simplifies it through biometrics.


Updated 2022-09-20

While Uber is still looking into its recent security breach, the company posted a formal update on its investigation and said that based on current evidence, there is no indication that the intruder—believed to be a teenager—gained access to any sensitive user data (like trip history). The company said that all its services, like Uber, Uber Eats, Uber Freight, and the Uber Driver app, are fully operational.

Uber got all the way hacked, supposedly by an 18-year-old who shared his activities with multiple security researchers. It started by phishing an employee’s 2FA code by pretending to be IT, and from there he got VPN access, access to Slack, a file share containing scripts with hardcoded creds, AWS, GSuite, VSphere, Duo, OneLogin, and…well…basically everything. Including its HackerOne program, which had all its previous vulnerability reports. It’s easy to poke fun at a big company being owned this bad by a teenager, but the truth is most companies are just as vulnerable. Passwordless (FIDO2, etc.) won’t solve everything, but it can’t come fast enough.

Updated 2022-09-19

Uber said on Monday a hacker affiliated with Lapsus$ hacking group was responsible for a cyber-attack that forced the company to shut down several internal communications temporarily last week. Read more: Uber says Lapsus$-linked hacker responsible for breach

Updated 2022-09-18

Uber was hacked, and it looks bad — “screenshots of sensitive internal dashboards posted on the internet”-style bad. Uber hasn’t said much about the hack, only that it was “responding to a cybersecurity incident.” It’s not clear if this is a data breach, but the hacker’s access appeared broad and extensive, gaining access to AWS and Google cloud dashboards (where Uber stores customer data), Uber’s Slack (where the hacker announced the breach — no less), and its HackerOne account (which it uses for bug bounties and remediating serious vulnerabilities).

The hacker, who claims to be an 18-year-old, according to several security researchers who spoke with them, basically got the keys to Uber’s kingdom by spamming MFA prompts until an employee accepted.

It’s a fast-paced incident, so expect more to come in the next few days. As usual in cases like this, @billdemirkapi has an excellent thread on what went down, and Ars Technica has a timeline and a deeper dive.


    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.