Uber investigates ‘cybersecurity incident’ after reports of a hack at the company


Uber said Thursday it was investigating a cybersecurity incident over reports that the ride-hailing company had been hacked.

“We are currently responding to a cybersecurity incident,” Uber said in a statement on Twitter. “We are in contact with the police and will post additional updates here as they become available.”

A hacker gained control of Uber’s internal systems after he compromised an employee’s Slack account, according to the New York Times, which says it communicated directly with the attacker. Slack, a workplace messaging service, is used by many technology companies and startups for everyday communication. Uber has now disabled its Slack, according to multiple reports.

Shares of Uber fell 5% on Friday after news of the hack.

After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker then went on to gain access to other internal databases, the Times reported. In a Slack message, the hacker is said to have written: “I announce that I am a hacker and that Uber has suffered a data breach.”

A separate report, from the Washington Post, says the alleged attacker told the newspaper they hacked Uber for fun and could leak the company’s source code within months.

Employees initially thought the attack was a joke and responded to Slack messages from the alleged hacker with emojis and GIFs, the Post reported, citing two people familiar with the case.

Screenshots shared on Twitter suggest the hacker also managed to take over Uber’s Amazon Web Services and Google Cloud accounts and access internal financial data.

CNBC was unable to independently verify the information. Uber declined to comment on the statement posted to Twitter.

While it’s not yet entirely clear how Uber’s systems were compromised, cybersecurity researchers said initial reports indicate the hacker avoided advanced hacking techniques in favor of social engineering. This is where criminals prey on people’s gullibility and inexperience to gain access to corporate accounts and sensitive data.

“This is a pretty low threshold for an attack,” said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf. “Given the access they claim they’ve been given, I’m surprised the attacker didn’t try to pay ransom or extort money, it looks like they were doing it ‘for the lulz’.”

“It’s further proof that humans are often the weakest link in your security system,” added McShane.

Sam Curry, a self-proclaimed “bug bounty hunter,” said he had been in contact with the alleged Uber hacker and claimed the targeted employee was involved in incident response. Curry said this means the hacker likely had “elevated access to begin with.” Bug bounties are rewards offered by companies to hackers for discovering software vulnerabilities.

“To my knowledge, the attacker had keys to the kingdom after obtaining an internal file with credentials for almost everything,” he added. Curry works for crypto startup Yuga Labs as a security engineer and says he spoke to the hacker via Telegram, an instant messaging platform.

News of the attack comes as Joe Sullivan, the former Uber security chief, is on trial for a 2016 breach in which the data of 57 million users and drivers was stolen. In 2017, the company admitted to concealing the attack and the following year it paid $148 million in a settlement with 50 US states and Washington, D.C.

Uber has tried to clean up its image following the departure in 2017 of Travis Kalanick, the controversial former CEO who founded the company in 2009. But scandals and controversies from Kalanick’s tumultuous tenure continue to haunt the company.

In July, The Guardian reported on the leak of thousands of documents describing how Uber invaded cities around the world, even if it meant breaking local laws. In one case, former CEO Travis Kalanick said that “violence is a guarantee of success” after being confronted by other executives over safety concerns for Uber drivers sent to a protest in France.

In response to The Guardian’s coverage at the time, Uber said the events were related to “past behavior” and “not in line with our current values”.

Source link


Please enter your comment!
Please enter your name here