Uber investigating breach of its computer systems

Spread the love

Uber found its computer community had been breached Thursday, main the corporate to take a number of of its inner communications and engineering systems offline because it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s inner systems, and an individual claiming duty for the hack despatched pictures of e-mail, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They just about have full entry to Uber,” mentioned Sam Curry, a safety engineer at Yuga Labs who corresponded with the one who claimed to be answerable for the breach. “This is a complete compromise, from what it seems like.”

An Uber spokesperson mentioned the corporate was investigating the breach and contacting regulation enforcement officers.

Uber workers have been instructed to not use the corporate’s inner messaging service, Slack, and located that different inner systems have been inaccessible, mentioned two workers, who weren’t licensed to talk publicly.

Shortly earlier than the Slack system was taken offline Thursday afternoon, Uber workers acquired a message that learn: “I announce I’m a hacker and Uber has suffered a knowledge breach.” The message went on to record a number of inner databases that the hacker claimed had been compromised.

The hacker compromised a employee’s Slack account and used it to ship the message, the Uber spokesperson mentioned. It appeared that the hacker was later capable of achieve entry to different inner systems, posting an express picture on an inner info web page for workers.

The one that claimed duty for the hack advised the Times that he had despatched a textual content message to an Uber employee claiming to be a company info expertise particular person. The employee was persuaded handy over a password that allowed the hacker to achieve entry to Uber’s systems, a method referred to as social engineering.

“These varieties of social engineering assaults to achieve a foothold inside tech firms have been growing,” mentioned Rachel Tobac, CEO of SocialProof Security. Tobac pointed to the 2020 hack of Twitter, wherein youngsters used social engineering to interrupt into the corporate. Similar social engineering strategies have been utilized in latest breaches at Microsoft and Okta.

“We are seeing that attackers are getting sensible and likewise documenting what’s working,” Tobac mentioned. “They have kits now that make it simpler to deploy and use these social engineering strategies. It’s change into nearly commoditized.”

The hacker, who supplied screenshots of inner Uber systems to show his entry, mentioned that he was 18 years outdated and had been engaged on his cybersecurity abilities for a number of years. He mentioned he had damaged into Uber’s systems as a result of the corporate had weak safety. In the Slack message that introduced the breach, the particular person additionally mentioned Uber drivers ought to obtain greater pay.

The particular person appeared to have entry to Uber supply code, e-mail and different inner systems, Curry mentioned. “It looks as if perhaps they’re this child who bought into Uber and doesn’t know what to do with it, and is having the time of his life,” he mentioned.

In an inner e-mail that was seen by the Times, an Uber govt advised workers that the hack was beneath investigation. “We don’t have an estimate proper now as to when full entry to instruments will likely be restored, so thanks for bearing with us,” wrote Latha Maripuri, Uber’s chief info safety officer.

It was not the primary time {that a} hacker had stolen information from Uber. In 2016, hackers stole info from 57 million driver and rider accounts, then approached Uber and demanded $100,000 to delete their copy of the info. Uber organized the cost, however saved the breach secret for greater than a yr.

Joe Sullivan, who was Uber’s high safety govt on the time, was fired for his position within the firm’s response to the hack. Sullivan was charged with obstructing justice for failing to reveal the breach to regulators and is at present on trial.

Lawyers for Sullivan have argued that different workers have been answerable for regulatory disclosures and mentioned the corporate had scapegoated Sullivan.

This article initially appeared in The New York Times.

Spread the love