Uber found its personal computer community had been breached Thursday, major the business to get quite a few of its internal communications and engineering devices offline as it investigated the extent of the hack.
The breach appeared to have compromised several of Uber’s interior methods, and a individual claiming obligation for the hack sent illustrations or photos of electronic mail, cloud storage and code repositories to cybersecurity researchers and The New York Instances.
“They quite much have total access to Uber,” mentioned Sam Curry, a safety engineer at Yuga Labs who corresponded with the person who claimed to be accountable for the breach. “This is a whole compromise, from what it appears like.”
An Uber spokesperson reported the corporation was investigating the breach and speaking to regulation enforcement officers.
Uber staff had been instructed not to use the company’s internal messaging company, Slack, and located that other internal programs were being inaccessible, explained two staff, who have been not authorized to speak publicly.
Shortly right before the Slack program was taken offline Thursday afternoon, Uber personnel gained a message that study: “I announce I am a hacker and Uber has endured a knowledge breach.” The message went on to checklist numerous internal databases that the hacker claimed experienced been compromised.
The hacker compromised a worker’s Slack account and used it to ship the message, the Uber spokesperson said. It appeared that the hacker was later ready to acquire accessibility to other inner systems, putting up an explicit photograph on an inside facts site for personnel.
The particular person who claimed accountability for the hack informed the Moments that he had despatched a text message to an Uber employee claiming to be a company facts technologies man or woman. The worker was persuaded to hand about a password that allowed the hacker to get entry to Uber’s programs, a strategy known as social engineering.
“These sorts of social engineering attacks to get a foothold in tech providers have been rising,” explained Rachel Tobac, CEO of SocialProof Security. Tobac pointed to the 2020 hack of Twitter, in which young people utilised social engineering to break into the company. Related social engineering approaches ended up used in the latest breaches at Microsoft and Okta.
“We are observing that attackers are acquiring wise and also documenting what is doing work,” Tobac claimed. “They have kits now that make it much easier to deploy and use these social engineering strategies. It is turn into almost commoditized.”
The hacker, who provided screenshots of inner Uber systems to display his accessibility, mentioned that he was 18 decades old and experienced been functioning on his cybersecurity capabilities for numerous yrs. He stated he experienced damaged into Uber’s methods because the enterprise experienced weak security. In the Slack message that introduced the breach, the man or woman also claimed Uber drivers should really receive bigger pay out.
The human being appeared to have access to Uber source code, electronic mail and other interior programs, Curry claimed. “It appears to be like it’s possible they’re this child who bought into Uber and does not know what to do with it, and is owning the time of his everyday living,” he mentioned.
In an interior email that was found by the Situations, an Uber executive informed staff that the hack was underneath investigation. “We never have an estimate proper now as to when full obtain to equipment will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s main data stability officer.
It was not the initially time that a hacker experienced stolen information from Uber. In 2016, hackers stole facts from 57 million driver and rider accounts, then approached Uber and demanded $100,000 to delete their copy of the knowledge. Uber organized the payment, but retained the breach solution for far more than a yr.
Joe Sullivan, who was Uber’s prime safety executive at the time, was fired for his job in the company’s reaction to the hack. Sullivan was billed with obstructing justice for failing to disclose the breach to regulators and is at present on trial.
Attorneys for Sullivan have argued that other staff members ended up responsible for regulatory disclosures and mentioned the company experienced scapegoated Sullivan.
This posting initially appeared in The New York Instances.