Uber says there is no evidence that users’ private information was compromised

Uber hack update: There is no evidence that users’ private information was compromised in the data breach.

Uber provided an update regarding the recent security breach of its internal computer systems, the company confirmed that there is no evidence that intruders had access to users’ private information.

“We have no evidence that the incident involved access to sensitive user data (like trip history).” reads the update provided by the company. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.”

All the services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are operational.

The company did not disclose details about the attack, several experts believe that it downplayed the incident and has no clear idea about the depth of the intrusion.

Uber on Thursday suffered a cyberattack, the attackers were able to penetrate its internal network and access internal documents, including vulnerability reports.

Uber notified law enforcement and started an internal investigation into the incident, a company spokesman confirmed.

According to the New York Times, the threat actors hacked an employee’s Slack account and used it to inform internal personnel that the company had “suffered a data breach” and provided a list of allegedly hacked internal databases.

“I announce I am a hacker and Uber has suffered a data breach.” states the message.

The company was forced to take its internal communications and engineering systems offline to mitigate the attack and investigate the intrusion.

The attackers allegedly compromised several internal systems and provided images of email, cloud storage and code repositories to The New York Times and some cyber security researchers.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

The attackers also had access to the company’s HackerOne bug bounty program, which means that they had access to every bug report submitted to the company by white hat hackers. This information is very important, threat actors could use it to launch further attacks.

The hacker claims to be 18 years old and added that Uber had weak security, in the message sent via Slack he also said Uber drivers should receive higher pay.

The 18-year-old hacker tricked an Uber employee into accepting a multi-factor authentication (MFA) prompt that allowed him to register his device.

Then the youngster gained access to an internal network share that contained PowerShell scripts with privileged admin credentials. One of the powershell scripts contained login credentials for an admin user in Thycotic (PAM) that the attackers used to extract secrets for all services used by the company, including DA, DUO, Onelogin, AWS, and GSuite.

At this time it is unclear the motivation behind the security breach, The Washington Post argued that the hacker compromised the company’s networks for fun.

“In a subsequent interview on a messaging app, the alleged hacker told The Post that they had breached the company for fun and might leak source code “in a few months.”” reported The Washington Post.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]