Uber investigates alleged hacking attack on its systems

Uber discovered that its computer network was breached on Thursday, prompting the company to shut down several of its internal communications and engineering systems as it investigated the extent of the hack.

The breach appears to have compromised many of Uber’s systems, and a person who claimed responsibility for the act sent images of email, cloud storage and code repositories to cybersecurity researchers and the New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed he was responsible for the hack. “This is a total commitment, it seems.”

An Uber spokesperson said the company was investigating the breach and in contact with law enforcement authorities.

Uber employees were told not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Just before the Slack system was shut down on Thursday afternoon, Uber employees received a message that read: “I announce that I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker said had been compromised.

The hacker hacked into an employee’s Slack account and used it to send the message, an Uber spokesperson said. It appears the hacker later gained access to other internal systems by posting an explicit photo on an internal employee information page.

The person who claimed responsibility for the hack told the Times that he had sent a message to an Uber employee claiming to be an Uber IT professional. The worker was persuaded to hand over a password that allowed the hacker to access Uber’s systems, a technique known as “social engineering.”

“These types of social engineering attacks to gain ground in tech companies are on the rise,” said Rachel Tobac, CEO of SocialProof Security. Tobac pointed to the 2020 Twitter hack, in which teenagers used this technique to blackmail the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.

“We’re seeing hackers getting smart and also documenting what works,” Tobac said. “Now they have kits that make it easy to deploy and use these social engineering methods. It’s become almost a commodity.”

The hacker, who provided screenshots of Uber’s internal systems to demonstrate his access, said he is 18 years old and has been working on cybersecurity techniques for several years. He said he hacked into Uber’s systems because the company has weak security. In the Slack message announcing the breach, the person also said that Uber drivers should earn higher wages.

The person appeared to have access to Uber’s source code, email system and other internal applications, Curry said. “Looks like maybe it’s a kid who got into Uber and doesn’t know what to do with it, and he’s having a great time,” he said.

In an internal email seen by the Times, an Uber executive told employees that the hack is being investigated. “We don’t yet have an estimate of when full access to the tools will be restored, so thanks for joining us on this,” wrote Latha Maripuri, Uber’s director of information security.

It’s not the first time a hacker has stolen Uber data. In 2016, hackers stole information from 57 million driver and passenger accounts, then approached Uber and demanded $100,000 to delete their copy of the data. Uber provided the payment but kept the breach a secret for over a year.

Joe Sullivan, who was Uber’s chief security officer at the time, was fired for his role in the company’s reaction to the hack. Sullivan was charged with obstruction of justice for failing to disclose the violation to regulators and is currently on trial.

Sullivan’s lawyers argued that other employees were responsible for the regulatory disclosures and said the company used Sullivan as a scapegoat.

Translated by Luiz Roberto M. Gonçalves