Uber on Thursday suffered a cyberattack, the attackers were able to penetrate its internal network and access internal documents, including vulnerability reports.
According to the New York Times, the threat actors hacked an employee’s Slack account and used it to inform internal personnel that the company had “suffered a data breach” and provided a list of allegedly hacked internal databases.
“I announce I am a hacker and Uber has suffered a data breach.” states the message.
The company was forced to take its internal communications and engineering systems offline to mitigate the attack and investigate the intrusion.
The attackers allegedly compromised several internal systems and provided images of email, cloud storage and code repositories to The New York Times and some cyber security researchers.
“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”
The attackers also had access to the company’s HackerOne bug bounty program, which means that they had access to every bug report submitted to the company by white hat hackers. This information is very important, threat actors could use it to launch further attacks. At this time is not possible to exclude that the reports include technical details about some flaws that have yet to be fixed by the company.
HackerOne has immediately disabled the Uber bug bounty program blocking any access to the list of the reported issues.
Uber notified law enforcement and started an internal investigation into the incident, a company spokesman confirmed.
“We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” Latha Maripuri, Uber’s chief information security officer, told NYT via email.
Employees were instructed not to use the internal messaging service Slack and some of them, speaking on a condition of anonymity, told the NYT that other internal systems were inaccessible.
The hacker claims to be 18 years old and added that Uber had weak security, in the message sent via Slack he also said Uber drivers should receive higher pay.
This is not the first time that the company suffered a security breach. In 2017, the news of another data breach that took place in 2016 made the headlines.
In November 2017, Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses, and cell phone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company’s development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publishing the stolen data.
Rather than notify the data breach to customers and law enforcement, as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Uber)