Ride-hailing service Uber said Friday that all of its services are operational after what security professionals called a major data breach. He said there was no evidence the hacker had access to sensitive user data.
What appeared to be a lone hacker announced the breach on Thursday after apparently tricking an Uber employee into providing credentials.
Screenshots shared by the hacker with security researchers indicate that this person gained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It’s not known how much data the hacker stole or how long it was inside Uber’s network. Two investigators who contacted the person directly — who identified himself as an 18-year-old in one of them — said they were interested in publicity. There was no indication that they destroyed any data.
However, files shared with investigators and widely posted on Twitter and other social media showed the hacker was able to access Uber’s most critical internal systems.
“The access he had was very poor. It’s awful,” said Corbin Leo, one of the researchers who chatted with the hacker online.
It said screenshots shared by the person showed the attacker had access to systems stored on Amazon and Google cloud-based servers, where Uber maintains its source code, financial data and customer data such as licenses driving.
“If he had keys to the kingdom, he could start disrupting services. He could delete things. It could download customer data, change people’s passwords,” said Leo, researcher and head of business development at security firm Zellic.
Screenshots shared by the hacker – many of which found their way online – showed they had access to sensitive financial data and internal databases. Among them was one in which the hacker announced a breach of Uber’s internal Slack collaboration system.
Sam Curry, a Yuga Labs engineer who was also communicating with the hacker, said there was no indication the hacker had done any damage or was interested in anything more than publicity. “My gut feeling is that it looks like they want to get as much attention as possible.”
Curry said he spoke with several Uber employees Thursday, who said they were “working to lock down everything internally” to limit the hacker’s access. That included the San Francisco company’s Slack network, he said.
In a statement posted online Friday, Uber said “the internal software tools we proactively removed yesterday are coming back online.”
It said all of its services — including Uber Eats and Uber Freight — were operational.
The company did not respond to questions from The Associated Press, including whether the hacker accessed customer data and whether that data was stored encrypted. The company said there was no evidence the attacker had access to “sensitive user data” such as travel history.
Curry and Leo said the hacker did not indicate how much data was copied. Uber did not recommend specific actions for its users, such as changing passwords.
The hacker alerted investigators to the hack on Thursday using an internal Uber account on the company’s network used to post vulnerabilities found through the bug-bounty program; which pays ethical hackers to find network weaknesses.
After commenting on these posts, the hacker provided a Telegram account address. Curry and other researchers then joined them in a separate conversation where the attacker provided screenshots of various pages from Uber’s cloud providers to prove they were hacked.
The AP tried to contact the hacker on the Telegram account, but did not receive a response.
Snapshots posted on Twitter appeared to confirm what investigators said the hacker claimed: That they gained privileged access to Uber’s most critical systems through social engineering. Essentially, the hacker discovered the password of an Uber employee. Then, posing as a colleague, the hacker bombarded the employee with text messages asking them to confirm that they had logged into their account. Eventually, the employee relented and provided a two-factor authentication code that the hacker used to log in.
Social engineering is a popular hacking strategy, as people tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter, and more recently it has been used in hacks of tech companies Twilio and Cloudflare.
Uber has been hacked before.
Former security chief Joseph Sullivan is currently on trial for allegedly arranging to pay hackers $100,000 to cover up a 2016 high-tech heist in which the personal information of some 57 million customers and drivers was stolen.