A major breach of the IT systems at Uber allowed hackers to post on the ride-sharing company’s Slack channel and allegedly gain access to source code.
On Sept. 19, Uber blamed hacking group Lapsus$ for the breach, which the company announced days earlier. Lapsus$ is an international hacking group known for attacking companies in the tech industry, including Microsoft, Cisco, Samsung, and Nvidia, in 2022 alone.
“The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact,” Uber said in a statement.
At the end of its last financial year, Uber had 118 million active regular users.
While Uber says it has “no evidence” that the breach involved sensitive customer data, users should keep a close eye on their personal information, said Darryl MacLeod, the virtual chief information security officer at LARES Consulting, a cybersecurity consulting firm.
“While Uber says sensitive data is safe, customers should still be vigilant until Uber can confirm that it wasn’t breached,” MacLeod told the Washington Examiner.
Days after the Uber attack, the same hacker was blamed for striking Rockstar Games, which saw several videos of the company’s Grand Theft Auto 6 video game released.
In the Uber attack, the hacker announced the ride-sharing company had suffered a data breach on a company Slack channel.
However, the company hasn’t seen evidence that the attacker was able to access the public-facing systems that run Uber’s app, nor did the breach involve databases that the company uses to store sensitive information such as car trip history and credit card numbers, Uber said.
The company’s Uber ride-sharing, Uber Eats, and Uber Freight services remained online during and after the attack, the company said.
While this hack appears to be on Uber’s corporate IT environment and not on customer data, it’s worth noting that an attacker in 2016 harvested the data of 57 million Uber customers, noted Christopher Prewitt, the chief technology officer at Inversion6, a cybersecurity services provider.
“The optics of blaming an elite hacking group would make an attack like this seem impossible to defend. However, the attack path and skills used weren’t of high difficulty,” Prewitt told the Washington Examiner. “Lapsus$ is often known for high-profile attacks that aren’t necessarily monetized and done with a flair for the dramatic.”
In many cases, Lapsus$’s motivation appears to be “notoriety and bragging rights,” said MacLeod, the cybersecurity consultant.
Uber blamed a compromised account at an external contractor for its breach. The attacker likely purchased the contractor’s Uber corporate password on the dark web after the contractor’s personal device had been infected with malware, the company said. After obtaining the password, the attacker repeatedly tried to log into the contractor’s Uber account, and the contractor eventually accepted a two-factor authentication approval request.
The attacker then compromised several Uber employee accounts, giving the person access to several tools, including G-Suite and Slack, Uber said.
In the past, Lapsus$ has extorted the victims of its attacks and threatened to leak data if its demands weren’t met, said Yaron Kassner, the chief technology officer and co-founder at multifactor authentication provider Silverfort. “Publishing such information also serves to bolster their credentials and show future victims their intentions are serious,” Kassner told the Washington Examiner.
While Uber has said that it has not seen a breach of customer data, it may be too early to tell, Kassner said. Whether or not customer information is involved is “something that will only be fully ascertained once an incident investigation is complete, which takes time,” Kassner. “Given the high level of privileges obtained, it remains a possibility.”