Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities.
The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.
As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.
Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.
"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated.
Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network.
The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department.
The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance.
"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.
It's not the first time
This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.
Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat.
In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.
"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."
The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.
Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."
