Uber is the victim of a large-scale cyberattack. A young hacker managed to break into the company’s internal communication system and recover sensitive data. The extent of the damage is yet to be determined…
Large companies are prime targets for hackers, because the accumulation of their users’ personal data constitutes a veritable gold mine. Uber has – once again – paid the price. The American giant, specialist in transport by VTC (passenger vehicle with driver) is indeed the victim of an unprecedented cyberattack. “We are currently experiencing a cybersecurity issue. We have contacted law enforcement and will post more information as it becomes available”has indicated the company on Twitter on the night of September 15 to 16, 2022. The New York Times conducted the investigation and discovered that a hacker had managed to break into the Slack account – an internal communication software – of an employee, and then sent a message to the other employees in order to inform them – or rather to brag – that he had managed to access the company’s data. For the moment, access to the Uber and Uber Eats applications is not impacted, but we still do not know the exact extent of the damage, in particular on the use that the hacker can make of the personal data of Uber users…
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
—Uber Comms (@Uber_Comms) September 16, 2022
Uber hack: a cyberattack with undetermined consequences
It all started with a simple SMS. Hacker contacted one of Uber’s employees posing as the company’s IT manager – a classic social engineering technique – and convinced him to give him the password to gain access to the company’s virtual private network (VPN), where he found new, very high-level credentials for access the services used by the firm, such as its internal Slack messaging system, its Amazon Web Services account – which specializes in cloud storage – and even its expense tracking system. He then took screenshots to post on Slack, with the following message: “I am announcing that I am a hacker and that Uber has suffered a data breach.”
Uber immediately took its communication systems, including Slack, offline. The exact extent of the damage is still unknown, but it could be significant. Sam Curry, a Yuga Labs engineer who contacted the hacker, told The New York Times that he “Seems the hacker has compromised a lot of things. This includes full access to cloud environments hosted by Amazon and Google, where Uber stores its source code and customer data.” The hacker also contacted the newspaper, emailing it pictures of the emails, code repositories and information in the cloud. It is not yet known whether personal data of users could have been stolen. For now, the Uber and Uber Eats apps are still working in France.
The hacker took the opportunity to question Uber’s weak security – and demand that drivers be better paid. It must be said that this is not the first time that the company has been in turmoil. A trial has just started in the United States against Joe Sullivan, the company’s former chief security officer. In 2016, hackers stole the personal data of 57 million Uber users and drivers. They had asked for the sum of 100,000 dollars to erase the stolen data and not to reveal them publicly, a ransom that the firm had finally resolved to pay. A decision that goes against US laws, since companies are obliged to inform their customers during a data theft of this importance.