Uber investigating cybersecurity incident after hacker breaches its internal network

Carly Page
·2 min read

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke the news of the breach.

Uber said in a statement given to TechCrunch that it's investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the NYT that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee's Slack account, persuading them to hand over a password that allowed them access to Uber's systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp, and Okta.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach”, the NYT reports. The hacker also reportedly said that Uber drivers should receive higher pay.

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber's Slack management interface, and the company's EDR portal.

“If you had your data in Uber, there's a high chance so many people have access to it,” Reed said, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee's password.

The attacker is also believed to have gained administrative access to Uber's cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise”, said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program.

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and Chief Hacking Officer said the company "is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation."

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Recommended Stories

  • Iran officials linked to Canada-based free VPN provider

    While the government is busy passing a controversial internet bill, Betternet VPN's Iranian ownership has sparked many concerns

  • Ukraine's tech scene finds creative ways to do business amid a full-scale war

    Ukraine's once-thriving ecosystem of tech companies, VCs, startups, and workers has gone from growing to surviving.

  • This Billionaire Bought Polygon Over a Year Ago: 3 Reasons to Still Buy the Dip Today

    Mark Cuban built a reputation over nearly the last four decades as one of the most prolific tech investors of our time. Being no stranger to up-and-coming technologies, it makes sense that Cuban is a fan of blockchains and cryptocurrencies. Over the last few years, Cuban has built positions in cryptocurrencies such as Bitcoin, Ethereum, and even the memecoin Dogecoin.

  • A new California law will require social media platforms to add more 'protections' for children

    California Governor Gavin Newsom has signed into law a new bill that could upend how social media platforms deal with underage users.

  • Emerging Markets Lead Global Crypto Adoption in Bear Market, Chainalysis Says

    The blockchain analytics firm's 2022 Global Crypto Adoption Index also shows China remains active despite a ban on crypto trading.

  • Marvell Unveils LiquidSecurity 2 HSM: Up to 1,000,000 AES Ops/s

    Marvell's new hardware security module can protect any server with (almost) unbreakable encryption.

  • Ethereum's Merge Spotlights a Key Strength, Says Coinbase Exec

    Coinbase's COO explained why moves like last night's Merge are so crucial to Ethereum's long-term value.

  • Record Chinese Cyber Breach Spurs Eruption in Data for Sale

    (Bloomberg) -- Since the data of about roughly 1 billion Chinese citizens appeared for sale on a popular dark web forum in June, researchers have observed a surge in other kinds of personal records from China appearing on cybercriminal marketplaces. Most Read from BloombergPutin’s Options Narrow After Ukraine Scores Battlefield RoutRay Dalio Does the Math: Rates at 4.5% Would Sink Stocks by 20%Ethereum Finishes Long-Awaited Energy-Saving ‘Merge’ UpgradeNY Judge Who Doesn’t Tolerate ‘Nonsense’ Ma

  • Bernstein: Strong Institutional Adoption of Ether Expected Following the Merge

    The Ethereum blockchain will “emerge as a digital asset category leader, given its economic transition, scalability roadmap, and vibrant digital economy,” Bernstein said.

  • China Braces To Hike Penalties Under Its Cyber Law; Alibaba And Its Peers Better Watch Out

    China's cyberspace regulator proposed a series of amendments to the country's cybersecurity law, including raising the size of fines for some violations, Reuters reports. The Cyberspace Administration of China aimed to introduce a penalty that would see critical information infrastructure operators facing a fine of up to 5% of their previous year's revenue or ten times the amount they paid for the product. The CAC looked to raise the fines for some violations from up to 100,000 yuan ($14,371) to

  • China looks to increase penalties under its cybersecurity law

    BEIJING (Reuters) -China's cyberspace regulator on Wednesday proposed a series of amendments to the country's cybersecurity law including raising the size of fines for some violations, saying that it wanted to do so to improve coordination with other new laws. The Cyberspace Administration of China (CAC) said, for example, that it wanted to introduce a penalty that would see operators of critical information infrastructure which used products or services that had not undergone security reviews be fined up to an equivalent of 5% of their previous year's revenue, or 10 times the amount they paid for the product. It also said it wanted to raise the fines for some violations, from up to 100,000 yuan ($14,371) previously to one million yuan.

  • Uber Probes Hacker’s Claim to Have Penetrated Key Databases

    (Bloomberg) -- Uber Technologies Inc. has shut down internal Slack messaging as it investigates a cybersecurity breach by a hacker claiming to have accessed sensitive company data.Most Read from BloombergAdobe Near Deal for Online Design Startup Figma, Sources SayRay Dalio Does the Math: Rates at 4.5% Would Sink Stocks by 20%Putin Acknowledges Xi’s ‘Concerns’ on Ukraine, Showing TensionAdobe Tumbles After Deal to Buy Figma for About $20 BillionPutin’s Options Narrow After Ukraine Scores Battlefi

  • The Ethereum Merge Finally Happened: So What?

    Ethereum is getting ready to ‘merge,’ creating temporary disruptions in some crypto trading and potentially new opportunities for investors. But what does it really mean? In simple but perhaps poorly understood terms, Ethereum will go from a cryptocurrency token backed by a proof-of-work blockchain to one supported by a proof-of-stake blockchain.

  • Crypto market tumbles below $1 trillion as Ethereum Merge looms

    Analysts warn of a ‘rocky week ahead’ for cryptocurrency ahead of momentous event

  • Ethereum merge piques investor interest as eth price rises

    Ethereum's 'merge' upgrade was a success and early morning trading showed that it has already piqued investor interest with the price of ether steadily rising.

  • Ethereum Mainstay Hudson Jameson on What Makes the Merge Monumental

    Today is a special day for Ethereum. The transition from proof-of-work to proof-of-stake is in Ethereum’s blood, with plans to change the consensus algorithm discussed since before Ethereum’s launch. Over the years there have been many iterations of what Ethereum’s proof-of-stake will look like.

  • Tencent Cloud, Strange Universe Technology to explore virtual space for enterprise

    Tencent Cloud, the cloud computing services arm of the Chinese tech giant, on Tuesday, announced it signed a memorandum of understanding with Web 3.0 firm Strange Universe Technology to create and host virtual reality (VR) spaces for businesses. See related article: Tencent Cloud continues blockchain expansion with two new platforms Fast facts Strange Universe Technology […]

  • Amazon hands out shipping software to merchants, including on rival sites

    Amazon.com Inc on Thursday said it would give merchants free software for managing shoppers' orders on and off its platform, as the retailer extends its e-commerce reach. The company is ending monthly fees of Veeqo, a shipping software firm it recently bought, for sellers including when they fulfill orders via rival platforms like Shopify Inc , eBay Inc or Etsy Inc. D.A. Davidson analyst Tom Forte said of Veeqo, "The acquisition should improve Amazon's ability to compete against Shopify," which helps merchants set up online stores and sell elsewhere.

  • How AVOD Providers can Keep Growing Amid Increased Competition and Economic Uncertainty

    Providers that invest in smart data tools will start to see which metrics are most important to the bottom line

  • Europe wants to shape the future of virtual worlds with rules and taxes

    EU lawmakers are moving in on the metaverse and making it plain that, whatever newfangled virtual world/s and/or immersive social connectivity that tech industry hype involving the term may refer to, these next-gen virtual spaces won't escape one hard reality: Regulation. There may be a second metaverse certainty too, if the Commission gets its way: Network infrastructure taxes. The EU's internal market commissioner, Thierry Breton, said today it believes some of the profits made in an increasingly immersive software realm should flow to providers of the network backbone required to host these virtual spaces -- a suggestion that's sure to trigger a fresh round of net neutrality pearl-clutching.