Uber said Thursday that it contacted law enforcement after a hacker apparently breached its network. A security engineer said the intruder provided evidence of gaining access to crucial systems at the shuttle.
There was no indication that Uber’s vehicle fleet or its operation was affected in any way.
“It seems like they’ve compromised a lot of things,” said Sam Curry, an engineer at Yuga Labs who contacted the hacker. That includes full access to cloud environments hosted by Amazon and Google where Uber stores its source code and customer data, he said.
Curry said he spoke with multiple Uber employees who said they were “working to lock down everything internally” to restrict hackers’ access. That included the San Francisco company’s internal Slack messaging network, he said.
He said there was no indication the hacker had caused any harm or was interested in anything other than publicity. “My instinct is that it looks like they’re trying to get as much attention as possible.”
The hacker had alerted Curry and other security researchers to the intrusion Thursday night by using an internal Uber account to comment on vulnerabilities they had previously identified in the company’s network through its bug bounty program. which pays ethical hackers to discover network weaknesses.
The hacker provided a Telegram account address and Curry and other investigators then engaged them in a separate conversation, sharing screenshots of various pages of Uber’s cloud providers to prove they broke in.
The Associated Press attempted to contact the hacker on the Telegram account where Curry and the other investigators chatted with them. But nobody responded.
The New York Times reported that the person who claimed responsibility for the attack said he gained access through social engineering: He sent a text message to an Uber worker claiming to be a technology employee at the company and convinced him to to give him a password that gave them access to the network.
The Times said the hacker reported that he was 18 years old and said he broke in because the company had poor security.
A screenshot posted on Twitter and confirmed by researchers shows a chat with the hacker in which they say he obtained the credentials of an administrative user through social engineering.
Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teens used a similar ploy in 2020 to hack Twitter
Uber said by email that it was “currently responding to a cybersecurity incident. We are in contact with the police.” He said he would provide updates on his Uber Comms Twitter account.
The company has been hacked before.
Its former chief security officer, Joseph Sullivan, is currently on trial on allegations that he paid hackers $100,000 to cover up a high-tech heist in 2016 that stole the personal information of some 57 million customers and drivers.