Uber has confirmed reports of a cybersecurity incident that has impacted its cloud-based servers. The company while confirming the incident on its official Twitter page, said it is “in touch with law enforcement and will post additional updates…”
As reported by the New York Times, Uber discovered that its computer network had been breached on Thursday. The company had since put in place some security measures, including taking several of its internal communications and engineering systems offline, as per NYT.
The hack appeared to have impacted Uber’s internal systems. Images of email, cloud storage, and code repositories were sent to cybersecurity researchers and NYT by a person claiming responsibility for the breach.
“We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer in an email as per NYT.
So, how was Uber’s security system hacked?
According to a screenshot as shared by a security researcher, the hacker explained how he gained full access:
- They social-engineered an employee to get their VPN and Slack login.
- Once on Slack, they found a link to a network share.
- The share contained Powershell scripts.
- One of these embedded the username and password of an Uber admin.
- Those credentials gave them access to everything else.
The hacker also told the New York Times how he had sent a text message to an Uber staff claiming to be a corporate information technology person. The staff was then persuaded to release a password which allowed the hacker to gain access to Uber’s systems.
In 2016, hackers stole information from 57 million driver and rider accounts, and later approached Uber and demanded $100,000 to delete copy of the data. Uber, according to reports, bowed to the demand of the hackers, but did not disclose the breach for more than a year.
Reuters had exclusively reported back in 2017 that Uber bought the silence of a 20-year old man from Florida in respect to the large data breach that affected its company in 2016. The young man according to Reuters, was responsible for the data breach, but was paid by Uber to destroy the data through the company’s “bug bounty” program.
The norm for a bounty program is to pay an amount in the region of between $5,000 and $10,000. Uber’s payment of $100,000 to the 20-year old man who reportedly lives with his mom was something out of the ordinary.
