- The company acknowledged the Uber security breach on Friday and they said that all of its services were up and running after what security experts described as a catastrophic data breach and that there was no sign the hacker had access to sensitive user data.
- The attack, which looked like a lone hacker’s work, showed an increasingly successful social engineering-based break-in approach.
- Because humans are the weakest link in every network, social engineering is a typical hacking technique.
- The hacker’s screenshots, many of which were released online, indicated critical financial data and internal systems being accessed.
- Some experts have questioned Uber’s cybersecurity development since the company was hacked in 2016.
The ride-hailing service said Friday that all of its services were operating following what security experts call a catastrophic Uber security breach and that there was no evidence the hacker had access to sensitive user data.
Uber security breach was possible because of social engineering techniques
However, the intrusion, which appeared to be the work of a lone hacker, highlighted an increasingly successful break-in technique employing social engineering: The hacker presumably acquired access by impersonating a coworker and duping an Uber employee into handing up their credentials.
They were then able to locate network credentials that granted them the degree of privileged access reserved for system administrators. The potential harm was severe; according to screenshots provided by the hacker with security researchers, they gained full access to the cloud-based systems where Uber holds critical consumer and financial data.
It is unknown how much data the hacker stole or how long they were within Uber’s network. Two researchers who spoke directly with the individual, who self-identified as an 18-year-old to one of them, claimed they looked to be interested in recognition. There was no evidence that they destroyed data.
However, evidence of the Uber security breach provided by the researchers and extensively publicized on Twitter and other social media suggested that the hacker had access to Uber’s most critical internal systems.
One of the researchers that communicated with the hacker responsible for the Uber security breach online, Corben Leo, a researcher and the head of business development at Zellic stated that, “It was really bad the access he had. It’s awful.” Leo also added, “If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords.”
The cybersecurity community reacted to Uber security breach
The internet cybersecurity community reacted angrily to Uber’s security failure, given that they had another major security breach back in 2016.
Dragos Inc.’s incident response director, Lesley Carhart, who specializes in industrial-control systems, tweeted, “There just isn’t a lot more to comment about the anatomy of the Uber hack. It wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security cultures and engineering failures. We are all watching how they respond, internally and externally.”
According to photos given by the hacker, they gained access to systems hosted on Amazon and Google cloud-based servers, where Uber stores source code, financial data, and user data such as driver’s licenses.
Screenshots of the Uber security breach supplied by the hacker, many of which were published online, revealed sensitive financial data and internal systems being accessed. Also extensively circulated on the internet: The hacker announced the vulnerability on Uber’s internal Slack communication channel on Thursday.
According to Leo and Sam Curry, an engineer at Yuga Labs who also talked with the hacker, there was no evidence that the hacker had done any harm or was interested in anything other than exposure. Leo said that, “It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame.”
Uber claims that there is no evidence hacker accessed sensitive user data
Curry said he spoke with numerous Uber employees on Thursday, who said they were “working to lock down everything internally” to limit the hacker’s access. He mentioned the San Francisco company’s Slack network.
Uber said in a statement put online Friday that “internal software tools that we took down as a precaution yesterday are coming back online.” It stated that all of its services, including Uber Eats and Uber Freight, were operating and that it had contacted authorities. The FBI stated in an email that it is “aware of the cyber incident involving Uber, and our assistance to the company is ongoing.”
Uber claimed there was no evidence that the attacker accessed “sensitive user data” such as travel history, but declined to answer questions, including whether the data was encrypted. According to Curry and Leo, the hacker did not specify how much data was copied. Uber does not currently advise its users to take any specific measures, such as resetting their passwords.
The hacker notified the researchers of the attack on Thursday by using an internal Uber account on the company’s network to submit vulnerabilities discovered through the company’s bug-bounty program, which rewards ethical hackers to find network flaws.
The hacker supplied a Telegram account address after commenting on those postings. Curry and his colleagues then engaged them in a separate chat, during which the invader offered the screenshots as evidence.
Social engineering tactics used in the Uber security breach can happen to an organization
Screenshots shared online appeared to validate what the researchers said the hacker claimed about the Uber security breach, that they gained privileged access to Uber’s most sensitive systems using social engineering. The hacker appears to have stolen an Uber employee’s password first, most likely through phishing.
The hacker then inundated the employee with push alerts requesting confirmation of a remote log-in to their account. When the employee did not react, the hacker contacted her over WhatsApp, pretending as an IT department colleague and expressing urgency. Eventually, the employee relented and verified with a mouse click.
Humans are the weakest link in every network, hence social engineering is a common hacking approach. Teenagers used it to breach Twitter in 2020, and it has recently been used in hacks of Internet companies Twilio and Cloudflare, according to Rachel Tobac, CEO of SocialProof Security, which specializes in educating employees not to fall prey to social engineering.
Tobac tweeted, “The hard truth is that most orgs in the world could be hacked in the exact way Uber was just hacked bc most do not employ the numerous best practices we’re talking about here to reduce the risks we just saw in this attack. This is a learning moment for almost everyone everywhere.”
Ryan Sherstobitoff, a senior threat analyst at SecurityScorecard said that, “Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication).” As a result, several security experts recommend the adoption of so-called FIDO physical security keys for user authentication. However, the adoption of such devices has been patchy among IT businesses.
According to Contrast Security’s Tom Kellermann, the intrusion also emphasized the necessity for real-time monitoring of cloud-based systems to detect intruders better. “Much more attention must be paid to protecting clouds from within” because a single master key can often open all of its doors.
Some experts questioned how far the company’s cybersecurity has progressed since the 2016 Uber security breach. Its former top security officer, Joseph Sullivan, is presently on trial for allegedly conspiring to pay hackers $100,000 to cover up that high-tech robbery, in which nearly 57 million customers’ and drivers’ personal information was taken.