Taxi service Uber said on Friday that all of its services were up and running after what security experts are calling a major data breach, saying there was no evidence that a hacker gained access to sensitive user data.
But the break-in, apparently carried out by a lone hacker, has highlighted an increasingly effective social engineering break-in procedure: the hacker apparently gained access by impersonating a colleague, tricking an Uber employee into giving up his credentials.
They were then able to find the passwords on the network, which gave them a privileged access level reserved for system administrators.
The potential damage was severe: Screenshots shared by the hacker with security researchers show they gained full access to cloud systems where Uber stores sensitive customer data and financial data.
It is not known how much data the hacker stole and how long it was on the Uber network. Two researchers who spoke directly to a man who introduced himself to one of them as an 18-year-old said they appeared to be interested in publicity. There was no indication that they destroyed the data.
But files handed over to researchers and widely shared on Twitter and other social networks showed that the hacker was able to gain access to Uber’s most critical internal systems.
“It was really bad access he had. It’s terrible,” said Korben Leo, one of the researchers who spoke with the hacker online.
The Internet cybersecurity community reacted strongly – Uber also suffered a major vulnerability in 2016.
The hack “was not sophisticated or complex and clearly depended on numerous major system security systems and engineering errors,” Leslie Carhart, director of incident response at Dragos Inc., which specializes in industrial control systems, tweeted.
Leo said the screenshots shared by the hacker showed the attacker gained access to systems stored on Amazon and Google cloud servers, where Uber stores source code, financial data and customer data such as driver’s licenses.
“If he had the keys to the kingdom, he could start stopping services. He could delete things. It could download customer data, change people’s passwords,” said Leo, a researcher and head of business development at security company Zellic.
The screenshots shared by the hacker, many of which were leaked online, showed access to sensitive financial data and internal databases. Also circulating widely online, a hacker announces a hack Thursday on Uber’s internal collaboration system Slack.
Leo, along with Sam Curry, a Yuga Labs engineer who also spoke to the hacker, said there is no indication that the hacker has done any damage or is interested in anything more than advertising.
“It’s very clear that he’s a young hacker because he wants what 99 percent of young hackers want, which is fame,” Leo said.
Curry said he spoke Thursday to several Uber employees who said they were “working to lock down everything inside” to limit the hacker’s access. That included the San Francisco-based company’s Slack network, he said.
In a statement posted online on Friday, Uber said “in-house software tools that we disabled yesterday as a precautionary measure are returning to the network.”
He said that all of his services, including Uber Eats and Uber Freight, were working and that he had notified law enforcement. The FBI said in an email that it is “aware of the cyber incident involving Uber and our assistance to the company continues.”
Uber said there was no evidence that the attacker gained access to “sensitive user data” such as travel history, but did not answer questions from The Associated Press, including whether the data was stored encrypted.
Curry and Leo said the hacker did not indicate how much data was copied. Uber has not recommended any specific actions to its users, such as changing passwords.
The hacker alerted researchers to Thursday’s intrusion using an internal Uber account on the company’s network, which is used to publish vulnerabilities identified through its bug bounty program, which pays ethical hackers to expose weaknesses in the network.
After commenting on these messages, the hacker provided the Telegram account address. Curry and other researchers then had a separate conversation with them, where the attacker provided screenshots as evidence.
The AP tried to contact the hacker via a Telegram account but received no response.
Screenshots posted online appear to confirm what the researchers said the hacker claimed: they gained privileged access to Uber’s most critical systems through social engineering.
The hacker first obtained the Uber employee’s password, likely through phishing. The hacker then bombarded the employee with push notifications asking them to confirm the remote login to their account. When the employee did not respond, the hacker contacted via WhatsApp, posing as an IT colleague and expressing urgency. In the end, the employee relented and acknowledged the mouse click.
Social engineering is a popular hacking strategy since humans tend to be the weakest link in any network. Teens used it in 2020 to hack Twitter, and more recently it was used to hack tech companies Twilio and Cloudflare, said Rachel Tobak, CEO of SocialProof Security, which specializes in educating workers on how to avoid being the victim of social engineering.
“The hard truth is that most organizations in the world can be hacked just like Uber was hacked,” Tobak tweeted. In an interview, she said that “even super tech-savvy people fall for social engineering methods every day.”
“Attackers are getting better at bypassing or intercepting MFA (multi-factor authentication),” said Ryan Sherstobitoff, Senior Threat Analyst at SecurityScorecard.
This is why many security professionals advocate the use of so-called FIDO physical security keys to authenticate users. However, the adoption of such equipment among technology companies has been uneven.
The hack also highlighted the need for real-time monitoring on cloud systems to better detect intruders, said Contrast Security’s Tom Kellermann. “There should be a lot more focus on protecting clouds from the inside,” because one master key can usually open all of their doors.
Some experts question how much cybersecurity has improved at Uber since the 2016 hack.
His former chief of security, Joseph Sullivan, is currently on trial for allegedly arranging a $100,000 payout to hackers to cover up this high-tech heist that stole the personal information of about 57 million customers and drivers.
Copyright 2022 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or distributed.