Uber Says Its Services Are Back Up After Serious Breach : NPR


An Uber sign will be installed at the company’s headquarters in San Francisco on Monday.

Jeff Chiu/AP

Hide caption

toggle caption

Jeff Chiu/AP

An Uber sign will be installed at the company’s headquarters in San Francisco on Monday.

Jeff Chiu/AP

Ride-hailing service Uber said Friday all of its services were operational after what security experts described as a serious data breach. There is no evidence that the hacker gained access to sensitive user data.

What appeared to be a lone hacker announced the breach Thursday after apparently tricking an Uber employee into providing credentials.

Screenshots shared by the hacker with security researchers show that this individual was given full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long he stayed on Uber’s network. Two researchers who communicated directly with the individual – who identified to one of them as an 18-year-old – said they appeared interested in advertising. There was no indication that they were destroying data.

But files shared with the researchers and widely posted on Twitter and other social media showed the hacker was able to gain access to Uber’s key internal systems.

“The access he had was really bad. It’s awful,” said Corbin Leo, one of the researchers who chatted with the hacker online.

He said screenshots the person shared showed the intruder gained access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver’s licenses.

“If he had keys to the kingdom, he could start hiring services. He could erase things. It could download customer data, change people’s passwords,” said Leo, a researcher and director of business development at security firm Zellic.

Screenshots shared by the hacker – many of which found their way onto the internet – showed that they had accessed sensitive financial data and internal databases. Among them was one in which the hacker announced the breach of Uber’s internal Slack collaboration system.

Sam Curry, an engineer at Yuga Labs who also communicated with the hacker, said there was no indication the hacker had done any harm or was interested in more than the public. “My gut feeling is that it looks like they want to get as much attention as possible.”

Curry said he spoke to several Uber employees on Thursday, who said they were “working to lock everything down internally” to limit the hacker’s access. That included the San Francisco-based company’s Slack network, he said.

In a statement posted online Friday, Uber said, “Internal software tools that we shut down yesterday as a precaution are coming back online.”

It said all of its services – including Uber Eats and Uber Freight – are operational.

The company did not respond to questions from The Associated Press, including whether the hacker had gained access to customer data and whether that data was stored encrypted. The company said there was no evidence the intruder accessed “sensitive user data” such as travel history.

Curry and Leo said the hacker didn’t specify how much data was copied. Uber did not recommend any specific actions to its users, such as changing passwords.

The hacker alerted researchers to the breach Thursday by using an internal Uber account on the company’s network used to publicize vulnerabilities identified through its bug bounty program, that pays ethical hackers to find network weaknesses.

After commenting on these posts, the hacker provided a Telegram account address. Curry and other researchers then engaged them in a separate conversation, in which the intruder provided screenshots of various pages from Uber’s cloud providers to prove they broke in.

The AP tried to contact the hacker through the Telegram account but received no response.

Screenshots posted to Twitter appeared to confirm what the researchers said the hacker claimed: that they were socially engineered to gain privileged access to Uber’s key systems. In fact, the hacker discovered the password of an Uber employee. Then the hacker, posing as a colleague, bombarded the employee with text messages asking him to confirm that he had logged into his account. Ultimately, the employee relented and provided a two-factor authentication code, which the hacker used to log in.

Social engineering is a popular hacking strategy as humans tend to be the weakest link in any network. Teens used it to hack Twitter in 2020, and it has more recently been used in hacks by tech companies Twilio and Cloudflare.

Uber has been hacked before.

Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly paying hackers $100,000 to cover up a 2016 high-tech heist that stole the personal information of some 57 million customers and drivers.


Comments are closed.