Uber on Thursday stated it’s investigating a cybersecurity incident following reports that the ride-hailing firm had been hacked.
“We are currently responding to a cybersecurity incident,” Uber stated in a assertion on Twitter. “We are in touch with law enforcement and will post additional updates here as they become available.”
A hacker gained management over Uber’s inside techniques after compromising the Slack account of an worker, in response to the New York Times, which says it communicated with the attacker instantly. Slack, a office messaging service, is utilized by many tech firms and startups for on a regular basis communications. Uber has now disabled its Slack, in response to a number of reports.
Shares of Uber declined 5% Friday on information of the hack.
After compromising Uber’s inside Slack in a so-called social engineering assault, the hacker then went on to entry different inside databases, the Times reported. In one Slack message, the hacker is alleged to have written: “I announce I am a hacker and Uber has suffered a data breach.”
A separate report, from the Washington Post, stated the alleged attacker informed the newspaper they’d breached Uber for enjoyable and will leak the corporate’s supply code in a matter of months.
Employees initially thought the assault to be a joke and responded to Slack messages from the alleged hacker with emojis and GIFs, the Post reported, citing two individuals accustomed to the matter.
Screenshots shared on Twitter recommend the hacker additionally managed to take over Uber’s Amazon Web Services and Google Cloud accounts, and gained entry to inside monetary knowledge.
CNBC was unable to independently confirm the knowledge. Uber declined to remark past its assertion posted on Twitter.
While it is not totally clear but how Uber’s techniques had been compromised, cybersecurity researchers stated preliminary reports point out the hacker eschewed refined hacking strategies in favor of social engineering. This is the place criminals prey on individuals’s credulity and inexperience to achieve entry to company accounts and delicate knowledge.
“This is a pretty low-bar to entry attack,” stated Ian McShane, vp of technique at cybersecurity agency Arctic Wolf. “Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it ‘for the lulz’.”
“It’s proof once again that often the weakest link in your security defenses is the human,” McShane added.
Sam Curry, a self-described “bug bounty hunter” stated he’d been involved with the alleged Uber hacker and claimed that the worker focused was concerned in incident response. Curry stated which means the hacker probably had “elevated access to begin with.” Bug bounties are rewards provided by firms to hackers for the invention of software program vulnerabilities.
“From my understanding, the attacker had keys to the kingdom after obtaining an internal file with credentials to nearly everything,” he added. Curry works for crypto startup Yuga Labs as a safety engineer and says he spoke with the hacker by way of Telegram, an instantaneous messaging platform.
News of the assault comes as Uber’s former safety chief, Joe Sullivan, is standing trial over a 2016 breach by which the data of 57 million customers and drivers had been stolen. In 2017, the corporate admitted to concealing the assault and, the next yr, paid $148 million in a settlement with 50 U.S. states and Washington, D.C.
Uber has tried to wash up its picture within the wake of the exit of Travis Kalanick in 2017, the controversial former CEO who based the corporate in 2009. But scandals and controversies from Kalanick’s tumultuous tenure proceed to hang-out the agency.
In July, The Guardian reported on the leak of hundreds of paperwork which detailed how Uber pushed into cities around the globe, even when it meant breaking native legal guidelines. In one occasion, former CEO Travis Kalanick stated that “violence guarantees success” after being confronted by different executives about considerations for the protection of Uber drivers despatched to a protest in France.
In response to The Guardian’s reporting on the time, Uber stated the occasions had been associated to “past behavior” and “not in line with our present values.”