Uber Technologies Inc. has recently acknowledged a security breach affecting its internal computer systems, first reported late Thursday. The company stated that there is currently “no evidence” suggesting that sensitive user data, such as trip history, has been accessed during the incident.
In a public statement, Uber clarified, “We have no evidence that the incident involved access to sensitive user data. All our platforms, including the Uber app, Uber Eats, and Uber Freight, are fully operational.” Following the breach, the company has reinstated all internal tools that were temporarily shut down for security precautions, and it has notified law enforcement regarding the incident.
The full extent of the hack remains ambiguous, particularly concerning whether additional sensitive information was compromised or how long the intruder had access to the network. Uber’s ongoing investigation has not disclosed specific details about the breach, but cybersecurity analyst Bill Demirkapi questioned the validity of Uber’s “no evidence” claim, suggesting that it could imply that access was gained but not detected.
Initial reports suggest that an 18-year-old hacker gained access through social engineering tactics, manipulating an employee into accepting a multi-factor authentication (MFA) prompt that enabled the attacker to register a personal device to Uber’s internal systems. Subsequently, the hacker discovered an internal network share that contained privileged credentials, allowing unrestricted access to critical systems, including AWS and Slack.
A follow-up analysis from Group-IB revealed that the attacker possessed logs from info-stealing malware, which had recently been put up for sale on the dark web. These logs indicated instances where at least two Uber employees had been infected with malware known as Raccoon and Vidar, suggesting that the hacker may have exploited this compromised information to escalate their access within Uber’s network.
Moreover, the breach appears to involve sensitive vulnerability reports submitted to HackerOne through Uber’s bug bounty program. In response to this revelation, HackerOne has temporarily disabled Uber’s account. Unauthorized access to these security reports poses significant risks, especially if the hacker chooses to monetize this information by selling details about unpatched vulnerabilities.
Reports indicate that the motivations behind the breach may not solely be financial. A message distributed through Slack by the hacker expressed criticism of Uber’s driver pay rates, indicating potential hacktivist motives. While the hacker has hinted that they could leak Uber’s source code in the future, the overall impact remains speculative.
This incident, along with recent breaches affecting companies like Twilio and Cloudflare, emphasizes the ongoing threat posed by social engineering tactics. The hack illustrates how organizations can be vulnerable to insider threats, particularly when employees inadvertently compromise their credentials. Security experts stress the need for businesses to account for a broader spectrum of potential attackers, including disgruntled insiders, when assessing their cybersecurity posture.
Utilizing frameworks such as the MITRE ATT&CK Matrix can help organizations identify relevant adversary tactics employed in this attack. Techniques such as initial access, persistence, and privilege escalation were likely observed. As cybersecurity challenges evolve, it is imperative for organizations to enhance their employee training and adopt robust authentication practices, including the implementation of phishing-resistant methods like FIDO2-compliant security keys.
