Uber investigating breach of its pc programs

Uber found its pc community had been breached Thursday, main the corporate to take a number of of its inner communications and engineering programs offline because it investigated the extent of the hack.

The breach appeared to have compromised a lot of Uber’s inner programs, and an individual claiming duty for the hack despatched photographs of e-mail, cloud storage and code repositories to cybersecurity researchers and The New York Occasions.

“They stunning a lot have full entry to Uber,” stated Sam Curry, a safety engineer at Yuga Labs who corresponded with the one who claimed to be answerable for the breach. “It is a whole compromise, from what it appears like.”

An Uber spokesperson stated the corporate was investigating the breach and contacting regulation enforcement officers.

Uber staff had been instructed to not use the corporate’s inner messaging service, Slack, and located that different inner programs had been inaccessible, stated two staff, who weren’t licensed to talk publicly.

Shortly earlier than the Slack system was taken offline Thursday afternoon, Uber staff obtained a message that learn: “I announce I’m a hacker and Uber has suffered a knowledge breach.” The message went on to record a number of inner databases that the hacker claimed had been compromised.

The hacker compromised a employee’s Slack account and used it to ship the message, the Uber spokesperson stated. It appeared that the hacker was later capable of achieve entry to different inner programs, posting an specific picture on an inner info web page for workers.

The one that claimed duty for the hack informed the Occasions that he had despatched a textual content message to an Uber employee claiming to be a company info expertise particular person. The employee was persuaded at hand over a password that allowed the hacker to realize entry to Uber’s programs, a method often known as social engineering.

“Most of these social engineering assaults to realize a foothold inside tech corporations have been growing,” stated Rachel Tobac, CEO of SocialProof Safety. Tobac pointed to the 2020 hack of Twitter, through which youngsters used social engineering to interrupt into the corporate. Comparable social engineering methods had been utilized in current breaches at Microsoft and Okta.

“We’re seeing that attackers are getting good and in addition documenting what’s working,” Tobac stated. “They’ve kits now that make it simpler to deploy and use these social engineering strategies. It’s change into nearly commoditized.”

The hacker, who supplied screenshots of inner Uber programs to reveal his entry, stated that he was 18 years outdated and had been engaged on his cybersecurity abilities for a number of years. He stated he had damaged into Uber’s programs as a result of the corporate had weak safety. Within the Slack message that introduced the breach, the particular person additionally stated Uber drivers ought to obtain larger pay.

The particular person appeared to have entry to Uber supply code, e-mail and different inner programs, Curry stated. “It looks like perhaps they’re this child who obtained into Uber and doesn’t know what to do with it, and is having the time of his life,” he stated.

In an inner e-mail that was seen by the Occasions, an Uber govt informed staff that the hack was underneath investigation. “We don’t have an estimate proper now as to when full entry to instruments might be restored, so thanks for bearing with us,” wrote Latha Maripuri, Uber’s chief info safety officer.

It was not the primary time {that a} hacker had stolen information from Uber. In 2016, hackers stole info from 57 million driver and rider accounts, then approached Uber and demanded $100,000 to delete their copy of the info. Uber organized the cost, however saved the breach secret for greater than a yr.

Joe Sullivan, who was Uber’s high safety govt on the time, was fired for his position within the firm’s response to the hack. Sullivan was charged with obstructing justice for failing to reveal the breach to regulators and is at present on trial.

Legal professionals for Sullivan have argued that different staff had been answerable for regulatory disclosures and stated the corporate had scapegoated Sullivan.

This text initially appeared in The New York Occasions.