Jump to content

A teen hacked Uber and announced it in the company Slack. Employees thought it was a joke.


NelsonG

Recommended Posts

Uber

An 18-year-old hacker has taken responsibility for hacking Uber and the details are not looking good for the rideshare company.

On Thursday night, Uber announced that it had suffered a "cybersecurity incident" and that it was working with law enforcement on the issue. A report in the New York Times detailed the "incident" as a data breach that had taken many of Uber's internal systems offline. As many more details have leaked from Uber employees, however, we now know much more about what happened.

So, how did it go down? An 18-year-old hacker deployed basic social engineering techniques targeting an Uber employee. The hacker told the New York Times that he simply posed as an IT worker from corporate in a text message and was able to convince the employee to send over a password that gave him access.

"This is yet another example of what attack after attack has shown: social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works," said Josh Yavor, chief information security officer for the cloud security company Tessian, in a statement to Mashable. "We keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords."

On top of the simplicity of the hack, there's another incredible facet to this breach: Uber didn't know it was hacked until the teen hacker announced himself in the company's Slack channel.

"Hi @here," the hacker's message began. "I announce i am a hacker and uber has suffered a data breach."

The hacker proceeded to run down some of the company's internal systems that were compromised, like Slack for example, and ended his message by calling out Uber for underpaying its drivers.

Uber employees, at first, thought the whole thing was a joke. 

Sam Curry, a staff engineer at Yuga Labs, the company behind the Bored Ape Yacht Club NFT project, shared additional information about the hack which he says he received from a contact at Uber. 

According to Curry's source, Uber's domain admin, Amazon Web Services admin, and GSuite were among some of the company accounts that were compromised. Screenshots, allegedly from the hacker, quickly spread showing his access to these services.

"Anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers,” explained Curry's Uber source.

Uber also quickly warned its employees to stay away from Slack, but according to Curry's contact, many people in the company kept logging back on to check out everyone's joke responses.

In its report on the hack, The Verge highlighted a Twitter thread from security researcher Corben Leo who got a bit technical with how the hacker was able to gain access to so many internal systems. Basically, once the employee sent his password to the teen, the young hacker was able to access the company VPN, scan the intranet, and find Powershell scripts containing credentials for multiple services.

"Gaining entry to private data inside VPNs needs to be difficult and behind strict protections," explained Jack Moore, global cyber security advisor at cybersecurity company ESET, in a statement provided to Mashable. "Using a simple SMS as a vehicle to hack into their systems now leaves Uber with a lot of questions about how much data was compromised via such an easy method.”

Moore said that the attack should "highlight once again the importance of training staff to remain eagle eyed and with the ability to spot targeted phishing attempts and double check before handing over any sort of credentials."

This isn't the first time Uber has been hacked. Back in 2016, a 20-year-old was responsible for a security breach that affected 57 million Uber customers around the world. This time time around, however, Uber says that sensitive user data wasn't compromised

View the full article

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...