If you’re one of the many people that uses Uber to get around, you might want to pay attention. The ride-share company has confirmed that it’s investigating a possible breach, and it sounds like this one is a doozy.
According to the New York Times (opens in new tab), Uber discovered its computer network had been breached on Thursday. The breach reportedly compromised some of Uber’s internal systems, with the alleged perpetrator sending images of emails, cloud storage and code repositories to the Times and cybersecurity researchers.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
The hacker made themselves known by infiltrating the Uber Slack channel, and sending out the message “I announce I am a hacker and Uber has suffered a data breach.” This was followed by a list of internal databases they claim to have accessed, a message saying Uber drivers should get higher pay. as well as posting an explicit photo on an internal employee information page.
Two anonymous Uber employees, who asked to remain anonymous, told the TImes that Uber is telling staff not to use the company’s Slack channel. Meanwhile, other internal systems are said to be inaccessible.
What caused the alleged Uber data breach?
So how did this happen? Well, the person claiming responsibility has been pretty chatty about the whole deal.
The hacker told the New York Times that they sent a text message to an Uber worker, claiming to be a “corporate information technology person.” This led to them persuading the Uber employee in question to hand over the password needed to gain access to Uber’s internal VPN, which gave them access to the corporate network.
The hacker also told Acronis CISO Kevin Reed (opens in new tab) (via ZDNET (opens in new tab)) that they were able to access “highly privileged credentials on network file shares,” giving them access to the now-compromised systems.
The hacker also claimed to be 18 years old and had been “working on his cybersecurity skills for several years”. Apparently he broke into Uber’s systems because of the company’s weak security — or in other words, because he could.
A ‘total compromise’
Sam Curry, researcher from Yuga Labs, said that it looks like “a total compromise” and that the person responsible “pretty much [has] full access to Uber”. That includes access to the company source code, emails and other internal systems. Curry shared similar sentiments on Twitter (opens in new tab), but told the Times that “it seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.”
Internal emails show an Uber executive telling employees that the breach is being investigated, but there’s no timeline on when full access will be restored. An Uber spokesperson told the Times they’re investigating the breach, and are in contact with law enforcement.
This isn’t the first time Uber has suffered a hack of this magnitude. Back in 2016 information from 57 million driver and rider accounts was stolen and held for ransom. Uber paid $100,00 in ransom money and actively covered up the incident until it was exposed a year later (opens in new tab) — something the company only officially admitted to in July (opens in new tab).
Joe Sullivan, the executive in charge of security, was fired as a result of the hack and is on trial for charges of obstruction of justice (opens in new tab) — on account of the hack not being disclosed to regulators.
How an Uber data breach could affect you
It’s not clear how much the hacker has access to, or what they intend to do with any information they acquire. Sam Curry could be right, and this is just a kid who managed to scam his way into the system to cause some havoc. However, even if that’s true, it doesn’t discount any malicious intent.
It’s also not entirely clear which systems they have access to, and what sort of information they contain. There’s not a whole lot that individual Uber users can do, but it is still worth changing your account password as a precaution. On top of that, if you have any accounts with the same password, change those too.
Ideally you’ll want to choose something unique, because using the same password multiple times is just asking for trouble. If you have trouble remembering them all, check out our list of the best password managers, and our guide on how to create strong passwords to keep your data safe.
In a statement given to TechCrunch, Chris Evans, HackerOne CISO and Chief Hacking Officer said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”
This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete the data. Uber made the payment to the hackers but kept the news of the breach quiet for more than a year.