The ride-hailing service Uber mentioned Friday that every one its companies are operational following what safety professionals had been calling a serious knowledge breach. It mentioned there was no proof the hacker received entry to delicate consumer knowledge.
What seemed to be a lone hacker introduced the breach on Thursday after apparently tricking an Uber worker into offering credentials.
Screenshots the hacker shared with safety researchers point out this individual obtained full entry to the cloud-based programs the place Uber shops delicate buyer and monetary knowledge.
It’s not recognized how a lot knowledge the hacker stole or how lengthy they had been inside Uber’s community. Two researchers who communicated instantly with the individual—who self-identified as an 18-year-old to one among them—mentioned they appeared serious about publicity. There was no indication they destroyed knowledge.
However recordsdata shared with the researchers and posted broadly on Twitter and different social media indicated the hacker was in a position to entry Uber’s most vital inner programs.
“It was actually unhealthy the entry he had. It is terrible,” mentioned Corbin Leo, one of many researchers who chatted with the hacker on-line.
He mentioned screenshots the individual shared confirmed the intruder received entry to programs saved on Amazon and Google cloud-based servers the place Uber retains supply code, monetary knowledge and buyer knowledge resembling driver’s licenses.
“If he had keys to the dominion he may begin stopping companies. He may delete stuff. He may obtain buyer knowledge, change folks’s passwords,” mentioned Leo, a researcher and head of enterprise growth on the safety firm Zellic.
Screenshots the hacker shared — lots of which discovered their approach on-line — confirmed that they had accessed delicate monetary knowledge and inner databases. Amongst them was one by which the hacker introduced the breach on Uber’s inner Slack collaboration system.
Sam Curry, an engineer with Yuga Labs who additionally communicated with the hacker, mentioned there was no indication that the hacker had achieved any harm or was serious about something greater than publicity. “My intestine feeling is that it looks like they’re out to get as a lot consideration as potential.”
Curry mentioned he spoke to a number of Uber workers Thursday who mentioned they had been “working to lock down the whole lot internally” to limit the hacker’s entry. That included the San Francisco firm’s Slack community, he mentioned.
In an announcement posted on-line Friday, Uber mentioned “inner software program instruments that we took down as a precaution yesterday are coming again on-line.”
It mentioned all its companies — together with Uber Eats and Uber Freight — had been operational.
The corporate didn’t reply to questions from The Related Press together with about whether or not the hacker gained entry to buyer knowledge and if that knowledge was saved encrypted. The corporate mentioned there was no proof that the intruder accessed “delicate consumer knowledge” resembling journey historical past.
Curry and Leo mentioned the hacker didn’t point out how a lot knowledge was copied. Uber didn’t suggest any particular actions for its customers, resembling altering passwords.
The hacker alerted the researchers to the intrusion Thursday by utilizing an inner Uber account on the corporate’s community used to post vulnerabilities identified through its bug-bounty program, which pays moral hackers to ferret out community weaknesses.
After commenting on these posts, the hacker supplied a Telegram account deal with. Curry and different researchers then engaged them in a separate dialog, the place the intruder supplied screenshots of assorted pages from Uber’s cloud suppliers to show they broke in.
The AP tried to contact the hacker on the Telegram account, however acquired no response.
Screenshots posted on Twitter appeared to substantiate what the researchers mentioned the hacker claimed: That they obtained privileged entry to Uber’s most crucial programs by social engineering. Successfully, the hacker found the password of an Uber worker. Then, posing as a fellow employee, the hacker bombarded the worker with textual content messages asking them to substantiate that that they had logged into their her account. Finally, the worker caved and supplied a two-factor authentication code the hacker used to log in.
Social engineering is a well-liked hacking technique, as people are usually the weakest hyperlink in any community. Youngsters used it in 2020 to hack Twitter and it has extra just lately been utilized in hacks of the tech corporations Twilio and Cloudflare.
Uber has been hacked earlier than.
Its former chief safety officer, Joseph Sullivan, is at the moment on trial for allegedly arranging to pay hackers $100,000 to cowl up a 2016 high-tech heist by which the non-public data of about 57 million prospects and drivers was stolen.