Uber’s laptop community was breached on Thursday, main the corporate to take a number of of its inside communications and engineering programs offline because it investigated the extent of the hack.
The breach appeared to have compromised lots of Uber’s inside programs, and an individual claiming duty for the hack despatched photos of electronic mail, cloud storage and code repositories to cybersecurity researchers and The New York Instances.
“They beautiful a lot have full entry to Uber,” mentioned Sam Curry, a safety engineer at Yuga Labs who corresponded with the one that claimed to be chargeable for the breach. “This can be a whole compromise, from what it seems like.”
An Uber spokesman mentioned the corporate was investigating the breach and contacting legislation enforcement officers.
Uber staff had been instructed to not use the corporate’s inside messaging service, Slack, and located that different inside programs had been inaccessible, mentioned two staff, who weren’t licensed to talk publicly.
Shortly earlier than the Slack system was taken offline on Thursday afternoon, Uber staff obtained a message that learn, “I announce I’m a hacker and Uber has suffered a knowledge breach.” The message went on to listing a number of inside databases that the hacker claimed had been compromised.
The hacker compromised a employee’s Slack account and used it to ship the message, the Uber spokesman mentioned. It appeared that the hacker was later in a position to acquire entry to different inside programs, posting an specific photograph on an inside info web page for workers.
The one that claimed duty for the hack informed The New York Instances that he had despatched a textual content message to an Uber employee claiming to be a company info expertise individual. The employee was persuaded at hand over a password that allowed the hacker to achieve entry to Uber’s programs, a method often called social engineering.
“A lot of these social engineering assaults to achieve a foothold inside tech firms have been growing,” mentioned Rachel Tobac, chief govt of SocialProof Safety. Ms. Tobac pointed to the 2020 hack of Twitter, through which youngsters used social engineering to interrupt into the corporate. Comparable social engineering methods had been utilized in latest breaches at Microsoft and Okta.
“We’re seeing that attackers are getting sensible and likewise documenting what’s working,” Ms. Tobac mentioned. “They’ve kits now that make it simpler to deploy and use these social engineering strategies. It’s turn into nearly commoditized.”
The hacker, who supplied screenshots of inside Uber programs to display his entry, mentioned that he was 18 years previous and had damaged into Uber’s programs as a result of the corporate had weak safety.
The individual appeared to have entry to Uber supply code, electronic mail and different inside programs, Mr. Curry mentioned. “It looks like possibly they’re this child who acquired into Uber and doesn’t know what to do with it, and is having the time of his life,” he mentioned.
It was not the primary time {that a} hacker had stolen knowledge from Uber. In 2016, hackers stole info from 57 million driver and rider accounts after which approached Uber and demanded $100,000 to delete their copy of the information. Uber organized the fee however stored the breach a secret for greater than a 12 months.
Joe Sullivan, who was Uber’s prime safety govt on the time, was fired for his position within the firm’s response to the hack. Mr. Sullivan was charged with obstructing justice for failing to reveal the breach to regulators and is at present on trial.
Legal professionals for Mr. Sullivan have argued that different staff had been chargeable for regulatory disclosures and mentioned the corporate had scapegoated Mr. Sullivan.
