Ride hailing giant Uber disclosed Thursday it’s responding to a cybersecurity incident involving a breach of its network and that it’s in touch with law enforcement authorities.
The New York Times first reported the incident. The company pointed to its tweeted statement when asked for comment on the matter.
The hack is said to have forced the company to take its internal communications and engineering systems offline as it investigated the extent of the breach.
The publication said the malicious intruder compromised an employee’s Slack account, and leveraged it to broadcast a message that the company had “suffered a data breach,” in addition to listing internal databases that’s supposed to have been compromised.
“It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees,” the New York Times said.
Uber has yet to offer additional details about the incident, but it seems that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to get hold of their password by masquerading as a corporate IT person and used it to obtain a foothold into the internal network.
Although the account was secured with two-factor authentication (2FA) protections, the hacker is alleged to have spammed the employee with push notifications and also contacted the person on WhatsApp, asking to accept the request by claiming to be from Uber’s IT department.
The incident is reminiscent of the recently disclosed Cisco hack wherein the cybercriminal actors resorted to the technique of prompt bombing to achieve a 2FA push acceptance.
“Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface,” Kevin Reed, chief information security officer at Acronis, told The Hacker News.
This is not Uber’s first breach. It came under scrutiny for failing to properly disclose a 2016 data breach affecting 57 million riders and drivers, and ultimately paying off the hackers $100,000 to hide the breach. It became public knowledge only in late 2017.
Federal prosecutors in the U.S. have since charged its former security officer, Joe Sullivan, with an alleged attempted cover-up of the incident, stating he had “instructed his team to keep knowledge of the 2016 breach tightly controlled.” Sullivan has contested the accusations.
In December 2021, Sullivan was handed down additional three counts of wire fraud to previously filed felony obstruction and misprision charges. “Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack,” the superseding indictment said.
It further said he “took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach.”
The latest breach also comes as the criminal case against Sullivan went to trial in the U.S. District Court in San Francisco.
“The compromise is certainly bigger compared to the breach in 2016,” Reed said. “Whatever data Uber keeps, the hackers most probably already have access.”