Uber discovered that its pc community was breached on Thursday, forcing the corporate to take a lot of its inner communications and engineering techniques offline because it investigated the extent of the hack.
The breach seems to have compromised a number of of Uber’s inner techniques, and an individual claiming accountability for the hack despatched cybersecurity researchers and The New York Times pictures of the e-mail, cloud storage and code repositories.
“They have full access to Uber,” stated Sam Curry, a safety engineer at Yug Labs. “What it looks like is a total compromise.”
An Uber spokesperson stated the corporate is investigating the breach and is contacting legislation enforcement officers.
Uber staff, two staff stated, had been instructed to not use the corporate’s inner messaging service, Slack, and located different inner techniques inaccessible for these not approved to talk publicly.
Shortly earlier than the Slack system went offline on Thursday afternoon, Uber staff acquired a message that learn: “I declare that I am a hacker and Uber has suffered a data breach.” The message went on to listing a number of inner databases that the hacker claimed had been compromised.
An Uber spokesperson stated the hacker tampered with an worker’s Slack account and used it to ship messages. It seems that the hacker was later capable of achieve entry to different inner techniques by posting a candid image on an inner info web page for workers.
The one who claimed accountability for the hack advised the Times that he had despatched a textual content message to an Uber worker claiming to be a company info expertise individual. The employee was persuaded handy over a password, which allowed the hacker to realize entry to Uber’s techniques, a way often called social engineering.
“These types of social engineering attacks are on the rise within tech companies to gain a foothold,” stated Rachel Toback, CEO of SocialProof Security. Toback pointed to Twitter’s 2020 hack, wherein teenagers used social engineering to interrupt into the corporate. Similar social engineering strategies had been utilized in latest breaches at Microsoft and Okta.
“We’re seeing attackers getting smarter and also documenting what’s working,” Toback stated. “They now have kits that make it simpler to deploy and use these social engineering strategies. It has virtually change into commoditized.”
The hacker, who supplied screenshots of the interior Uber system to display his entry, stated he was 18 years outdated and had been engaged on his cybersecurity expertise for a number of years. He stated he had breached Uber’s techniques as a result of the corporate’s safety was weak. In a Slack message asserting the violation, the individual additionally stated that Uber drivers ought to get greater pay.
Curry stated it seems the individual has entry to Uber supply code, e mail and different inner techniques. “Looks like maybe they’re this kid who joined Uber and doesn’t know what to do with it, and is having the time of their lives,” he stated.
In an inner e mail seen by the Times, an Uber government advised staff the hack was being investigated. “Right now we have no estimate when full access to the tool will be restored, so thank you for working with us,” wrote Uber’s chief info safety officer, Lata Maripuri.
This was not the primary time a hacker had stolen information from Uber. In 2016, hackers stole info from 57 million driver and rider accounts, then contacted Uber and demanded $100,000 to take away their copy of the information. Uber organized the fee, however stored the breach a secret for greater than a yr.
Joe Sullivan, who was Uber’s prime safety government on the time, was fired for his function within the firm’s response to the hack. Sullivan was charged with obstruction of justice for failing to reveal the breach to regulators and is at present on trial.
Sullivan’s legal professionals have argued that different staff had been accountable for regulatory disclosures and stated the corporate had made Sullivan a scapegoat.
This article initially appeared in The New York Times.
With inputs from TheIndianEXPRESS
