Data Breach

Uber hacked, internal systems and confidential documents were allegedly compromised

Uber on Thursday disclosed a security breach, threat actors gained access to its network, and stole internal documents.

Uber on Thursday suffered a cyberattack, the attackers were able to penetrate its internal network and access internal documents, including vulnerability reports.

According to the New York Times, the threat actors hacked an employee’s Slack account and used it to inform internal personnel that the company had “suffered a data breach” and provided a list of allegedly hacked internal databases.

“I announce I am a hacker and Uber has suffered a data breach.” states the message.

The company was forced to take its internal communications and engineering systems offline to mitigate the attack and investigate the intrusion.

The attackers allegedly compromised several internal systems and provided images of email, cloud storage and code repositories to The New York Times and some cyber security researchers.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

The attackers also had access to the company’s HackerOne bug bounty program, which means that they had access to every bug report submitted to the company by white hat hackers. This information is very important, threat actors could use it to launch further attacks. At this time is not possible to exclude that the reports include technical details about some flaws that have yet to be fixed by the company.

HackerOne has immediately disabled the Uber bug bounty program blocking any access to the list of the reported issues.

Uber notified law enforcement and started an internal investigation into the incident, a company spokesman confirmed.

“We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” Latha Maripuri, Uber’s chief information security officer, told NYT via email.

Employees were instructed not to use the internal messaging service Slack and some of them, speaking on a condition of anonymity, told the NYT that other internal systems were inaccessible.

The hacker claims to be 18 years old and added that Uber had weak security, in the message sent via Slack he also said Uber drivers should receive higher pay.

This is not the first time that the company suffered a security breach. In 2017, the news of another data breach that took place in 2016 made the headlines.

In November 2017, Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses, and cell phone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company’s development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publishing the stolen data.

Rather than notify the data breach to customers and law enforcement, as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Uber)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.