Uber, in an update, said there was “no evidence” that users’ private information was compromised in a breach of its internal computer systems that was uncovered Thursday night.
“We have no evidence that the incident involved access to sensitive user data (like ride history),” the company said. said. “All of our services including Uber, Uber Eats, Uber Freight and the Uber Driver app are up and running.”
The ride-sharing company also said it had brought back all internal software tools it had previously removed as a precaution, reiterating that it had informed law enforcement of the matter.
It’s not immediately clear whether the incident resulted in other information being stolen or how long the intruder was inside Uber’s network.
Uber did not provide further details on how the incident unfolded, beyond saying that its investigation and response efforts are ongoing. But independent security researcher Bill Demirkapi called Uber’s “no evidence” position “sketchy”.
“‘No evidence’ could mean the attacker had access, Uber simply couldn’t find evidence that the attacker *used* this access for ‘sensitive’ user data,” Demirkapi said. said. “Explicitly saying ‘sensitive’ user data rather than user data as a whole is also weird.”
The breach allegedly involved a lone hacker, an 18-year-old teenager, tricking an Uber employee into providing social engineering account access for the victim to accept a multi-factor authentication (MFA) prompt that allowed the attacker to register his own device.
After gaining a foothold for the first time, the attacker found a internal network share which contained PowerShell scripts with privileged administrator credentials, giving carte blanche to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne Incident Response Portal, and Slack.
Worryingly, as revealed by security researcher Sam Curry, the teenage hacker also allegedly got his hands on privately disclosed vulnerability reports submitted via HackerOne as part of Uber’s bug bounty program.
HackerOne has since moved to deactivate uber accountbut unauthorized access to the platform’s unpatched security flaws could pose a huge security risk to the San Francisco-based company if the hacker chooses to sell the information to other threat actors for a quick profit.
So far, the attacker’s motives behind the breach are unclear, although a message posted by the hacker announce the breakup on Slack included a call for higher pay for Uber drivers.
A separate report from the Washington Post Noted that the attacker broke into the company’s networks for fun and could leak the company’s source code in a few months, while describing Uber’s security as “horrendous”.
“Often we just talk about APTs, like nation states, and forget about other threat actors, including disgruntled employees, insiders and, as in this case, hacktivists,” said Ismael Valenzuela Espejo. , vice president of threat research and intelligence at BlackBerry. .
“Organizations should include them in their threat modeling exercises to determine who may have a motivation to attack the business, their skill level and capabilities, and what the impact could be based on that analysis.”
The attack on Uber, along with the recent series of incidents against Twilio, Cloudflare, Cisco, and LastPass, illustrate how social engineering continues to be a persistent thorn in the flesh of organizations.
It also shows that all it takes is for an employee to share their login credentials for a breach to occur, proving that password authentication is a weak link in account security.
“Once again, we see that a company’s security is only as good as that of its most vulnerable employees,” Masha Sedova, co-founder and president of Elevate Security, said in a statement.
“We need to think beyond generic training, and instead pair our most at-risk employees with more specific protective controls. As long as we continue to treat cybersecurity solely as a technical challenge, we will continue to lose this battle,” Sedova added.
Incidents like these are also proof that time-based one-time password (TOTP) codes – typically generated through authenticator apps or sent as SMS messages – are inadequate for securing roadblocks. 2FA road vehicles.
One way to counter these threats is to use FIDO2-compliant phishing protections. physical security keyswhich removes passwords in favor of an external hardware device that handles authentication.
“MFA vendors should *by default* automatically lock accounts temporarily when too many prompts are sent in a short period of time,” Demirkapi said, urging organizations to limit privileged access.