On the 16th of September, there was a data breach at Uber. The revelation caused a lot of stir on the internet. But how did this happen? How did a big company like Uber get compromised? The attacker has been quite upfront about how they compromised Uber’s corporate infrastructure.
ALSO READ: MTN Momo to pay out UGX 5.7 billion to active Q2 Mobile money customers
However, it turns out not only this company but also other tech giants suffered from the hack. Recently, Uber commented on the matter, blaming the Lapsus$ hacking group. At the same time, Uber proves that no customer or user data was spotted.
Last Thursday, Uber had to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform. Logically, Uber has been in close contact with the FBI and US Justice Department.
Uber admits that the attacker accessed several internal systems, and their investigation has focused on determining whether there was any material impact. While the investigation is still ongoing, the ride-sharing company did have some details of their current findings that they shared.
The company claims that they have not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases they use to store sensitive user information, like credit card numbers, user bank account info, or trip history. They also encrypt credit card information and personal health data, offering a further layer of protection.
Uber has reviewed their codebase and has not found that the attacker made any changes. They confirm that they have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3). What the hacker did was download some internal Slack messages, plus some info from an internal tool that the company’s finance department uses. “We are currently analyzing those downloads,” the company said in a statement.
The attacker was able to access the company’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.
As for the alleged hacking group, Lapsus$ is famous for waging a ransomware attack against the Brazilian Ministry of Health in December 2021. At that time, they could steal the COVID-19 vaccination data of millions of Brazilians.
“This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia, and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.” Uber confirms.
See how simple it works. Uber already confirmed that the hackers just bought an Uber contractor’s corporate password on the dark web. This happened after the Uber employee’s personal device had been infected with malware. In effect, the hackers could steal his credentials.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
In a press release yesterday, Uber has confirmed that it has updated the public on the key actions it took, and continues to take:
- They identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
- They disabled many affected or potentially affected internal tools.
- They rotated keys (effectively resetting access) to many of their internal services.
- Uber locked down our codebase, preventing any new code changes.
- When restoring access to internal tools, they required employees to re-authenticate. They are also further strengthening their multi-factor authentication (MFA) policies.
- They finally added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
