Ride-hailing giant Uber has confirmed that it is responding to a cybersecurity incident as reports emerge that the firm has suffered a significant network data breach forcing it to shut down several internal communications and engineering systems.
Attacker announces Uber breach through compromised Slack account
In a statement on Twitter, Uber wrote “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” While details from the company were sparse at the time of writing, a report by the New York Times on Thursday claimed that a hacker was able to compromise an employee’s Slack account and used it to send a message to Uber employees announcing that the company had suffered a data breach.
The report, which cited an Uber spokesperson, also claimed that the hacker posted, “I announce I am a hacker and Uber has suffered a data breach,” before listing several internal databases that were apparently compromised. The person claiming responsibility for the hack told the New York Times that they had sent a text message to an Uber employee claiming to be a corporate IT person, persuading them hand over a password that allowed the actor to gain access to Uber’s systems.
According to a tweet by security researcher and bug bunty hunter Sam Curry, an anonymous Uber employee stated, “At Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
Speaking to CSO, Jake Moore, global cyber security advisor at ESET, says, “The use of a simple social engineering hack via SMS to hack into their systems leaves Uber with not just embarrassment but questions on how much data was so easily accessible behind one simple compromise. Attackers should never be underestimated and those targeted must remain vigilant to such attacks. Therefore, personal data needs to be behind much stricter securities and must be protected the best it can be not only from insider threats but also relentless attackers looking for vulnerable staff.”
Andy Swift, technical director of offensive security, Six Degrees, adds that internal systems are the soft underbelly of organizations, and the Uber incident just goes to show that even the most simplistic of techniques, if done correctly, can unpick an entire infrastructure with relative ease. “It’s why things like the concept of least privilege and focus on maintaining and reducing internal attack surfaces with a holistic view is so very important and getting big focus right now. Trying to get companies to think less about the security of individual systems in pigeonholes and have a more holistic view embedded into their security testing programs through the use of red/purple teaming engagements can really help pinpoint areas of weakness against the organization as a whole. As we have seen here, looking at it from this perspective is important in understanding an attacker’s view, and continuous testing – combined with strategic, planned improvement based on results – is vital.”
CSO will follow this story and update as more details come to light.