An 18-year-old hacker has taken responsibility for hacking Uber and the details are not looking good for the rideshare company.
On Thursday night, Uber announced that it had suffered a “cybersecurity incident” and that it was working with law enforcement on the issue. A report in the New York Times detailed the “incident” as a data breach that had taken many of Uber’s internal systems offline. As many more details have leaked from Uber employees, however, we now know much more about what happened.
So, how did it go down? An 18-year-old hacker deployed basic social engineering techniques targeting an Uber employee. The hacker told the New York Times that he simply posed as an IT worker from corporate in a text message and was able to convince the employee to send over a password that gave him access.
“This is yet another example of what attack after attack has shown: social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works,” said Josh Yavor, chief information security officer for the cloud security company Tessian, in a statement to Mashable. “We keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords.”
On top of the simplicity of the hack, there’s another incredible facet to this breach: Uber didn’t know it was hacked until the teen hacker announced himself in the company’s Slack channel.
“Hi @here,” the hacker’s message began. “I announce i am a hacker and uber has suffered a data breach.”
The hacker proceeded to run down some of the company’s internal systems that were compromised, like Slack for example, and ended his message by calling out Uber for underpaying its drivers.
Uber employees, at first, thought the whole thing was a joke.
Sam Curry, a staff engineer at Yuga Labs, the company behind the Bored Ape Yacht Club NFT project, shared additional information about the hack which he says he received from a contact at Uber.
According to Curry’s source, Uber’s domain admin, Amazon Web Services admin, and GSuite were among some of the company accounts that were compromised. Screenshots, allegedly from the hacker, quickly spread showing his access to these services.
“Anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers,” explained Curry’s Uber source.
Uber also quickly warned its employees to stay away from Slack, but according to Curry’s contact, many people in the company kept logging back on to check out everyone’s joke responses.
In its report on the hack, The Verge highlighted a Twitter thread from security researcher Corben Leo who got a bit technical with how the hacker was able to gain access to so many internal systems. Basically, once the employee sent his password to the teen, the young hacker was able to access the company VPN, scan the intranet, and find Powershell scripts containing credentials for multiple services.
“Gaining entry to private data inside VPNs needs to be difficult and behind strict protections,” explained Jack Moore, global cyber security advisor at cybersecurity company ESET, in a statement provided to Mashable. “Using a simple SMS as a vehicle to hack into their systems now leaves Uber with a lot of questions about how much data was compromised via such an easy method.”
Moore said that the attack should “highlight once again the importance of training staff to remain eagle eyed and with the ability to spot targeted phishing attempts and double check before handing over any sort of credentials.”
This isn’t the first time Uber has been hacked. Back in 2016, a 20-year-old was responsible for a security breach that affected 57 million Uber customers around the world. This time time around, however, Uber says that sensitive user data wasn’t compromised.