Read Time: 4 minutes
The ride-hailing service Uber says all its services are operational following what security professionals are calling a major data breach
ByFRANK BAJAK AP Technology Writer
September 17, 2022, 3:00 PM
Uber expands electric car service to 25 North American markets
Upscale vehicle options now include Teslas and the Ford Mustang Mach-E.
The ride-hailing service Uber said Friday that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data.
But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective break-in routine involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials.
They were then able to locate passwords on the network that got them the level of privileged access reserved for system administrators.
The potential damage was serious: Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It is not known how much data the hacker stole or how long they were inside Uber’s network. Two researchers who communicated directly with the person — who self-identified as an 18-year-old to one of them — said they appeared interested in publicity. There was no indication they destroyed data.
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_1227205145
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_1672574236
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_1396581240
But files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber’s most crucial internal systems.
“It was really bad the access he had. It’s awful,” said Corben Leo, one of the researchers who chatted with the hacker online.
The cybersecurity community’s online reaction — Uber also suffered a serious 2016 breach — was harsh.
The hack “wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which specializes in an industrial-control systems.
Leo said screenshots the hacker shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver’s licenses.
“If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords,” said Leo, a researcher and head of business development at the security company Zellic.
Screenshots the hacker shared — many of which found their way online — showed sensitive financial data and internal databases accessed. Also widely circulating online: The hacker announcing the breach Thursday on Uber’s internal Slack collaboration system.
Leo, along with Sam Curry, an engineer with Yuga Labs who also communicated with the hacker, said there was no indication that the hacker had done any damage or was interested in anything more than publicity.
“It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo said.
Curry said he spoke to several Uber employees Thursday who said they were “working to lock down everything internally” to restrict the hacker’s access. That included the San Francisco company’s Slack network, he said.
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_1989530023
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_511220565
https://imasdk.googleapis.com/js/core/bridge3.530.1_en.html#goog_840769751
In a statement posted online Friday, Uber said “internal software tools that we took down as a precaution yesterday are coming back online.”
It said all its services — including Uber Eats and Uber Freight — were operational and that it had notified law enforcement. The FBI said via email that it is “aware of the cyber incident involving Uber, and our assistance to the company is ongoing.”
Uber said there was no evidence that the intruder accessed “sensitive user data” such as trip history but did not respond to questions from The Associated Press including about whether data was stored encrypted.
Curry and Leo said the hacker did not indicate how much data was copied. Uber did not recommend any specific actions for its users, such as changing passwords.
The hacker alerted the researchers to the intrusion Thursday by using an internal Uber account on the company’s network used to post vulnerabilities identified through its bug-bounty program, which pays ethical hackers to ferret out network weaknesses.
After commenting on those posts, the hacker provided a Telegram account address. Curry and other researchers then engaged them in a separate conversation, where the intruder provided the screenshots as proof.
The AP attempted to contact the hacker at the Telegram account, but received no response.
Screenshots posted online appeared to confirm what the researchers said the hacker claimed: That they obtained privileged access to Uber’s most critical systems through social engineering.
The apparent scenario:
The hacker first obtained the password of an Uber employee, likely through phishing. The hacker then bombarded the employee with push notifications asking they confirm a remote log-in to their account. When the employee did not respond, the hacker reached out via WhatsApp, posing as a fellow worker from the IT department and expressing urgency. Ultimately, the employee caved and confirmed with a mouse click.
Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter and it has more recently been used in hacks of the tech companies Twilio and Cloudflare, said Rachel Tobac, CEO of SocialProof Security, which specializes in training workers not to fall victim to social engineering.
“The hard truth is that most orgs in the world could be hacked in the exact way Uber was just hacked,” Tobac tweeted. In an interview, she said “even super tech savvy people fall for social engineering methods every day.”
“Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, a senior threat analyst at SecurityScorecard.
That’s why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. Adoption of such hardware has been spotty among tech companies, however.
The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security. “Much more attention must be paid to protecting clouds from within” because a single master key can typically unlock all their doors.
Some experts questioned how much cybersecurity has improved at Uber since it was hacked in 2016.
Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers $100,000 to cover up that high-tech heist, when the personal information of about 57 million customers and drivers was stolen.
Buy Microsoft Windows 11 Pro License Key at the most affordable price! With free technical support available. Instant delivery 24/7.
Windows 11 Pro Dijital Lisans Anahtarı – En uygun fiyatlarla güncelleyin ve profesyonel deneyimin keyfini çıkarın. Hemen Windows 11 Pro’yu satın alarak bilgisayarınızı güncelleyin. Ücretsiz teknik destek ile sorun yaşamadan kolayca kurulum yapabilir ve işlerinizi hızlandırabilirsiniz. Windows 11 Pro ile yeni özelliklerin ve güncellemelerin tadını çıkarın. Hızlı ve güvenilir bir şekilde Windows 11 Pro lisans anahtarınızı alın ve bilgisayarınızı en son sürümle güncelleyin.
OnlyFans yayınında seks oyuncaklarınız ile zevkli bir yayın deneyimine hazır mısınız
Seks Shop marketinizde aradığınız ürünler bir tık ötenizde %100 gizli kargo.
İş yerinde çalışan personellere özel olarak hazırlanmış Microsoft personel paketi sizlere en ayrıcalıklı hizmetleri sunar. Windows, MAC, İOS, Android işletim sistemlerinde bire bir uyumludur. Paketinizi dilediğiniz cihaz kullanabilirsiniz. Güvenlik sebebiyle 2 saat içerisinde etkinleştirme yapmanız gerekmektedir. Ürünlerde stok tutmak gibi bir durum mevcut değildir. Örneğin: Satın aldıktan 1 hafta / ay sonra kullanmak mümkün değildir. 2 Saat içerisinde etkinleştirme yapamayacaksanız lütfen daha sonra satın alın. Ürün 2 saat içerisinde kendini deaktive eder. Abonelik sadece 1 kişinin kullanımına uygundur. Eş zaman diliminde yalnızca bir tek kişi paketi kullanabilir. Kullanıcı başına 1 TB depolama alanına sahip olmasıyla birçok projeyi kaydedebilme olanağını sizlere sunuyor.
To the theinsightnewsonline.com owner, Thanks for sharing your thoughts!
Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.
You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!
This is really interesting, You’re a very skilled blogger. I’ve joined your feed and look forward to seeking more of your magnificent post. Also, I’ve shared your site in my social networks!
เกมส์กีฬาปัจจุบันเป็นสิ่งที่หลากหลายและน่าตื่นเต้นอย่างมาก ไม่ว่าจะเป็นฟุตบอล บาสเกตบอล แอมเอสบอล และยังมีมวย แบตมินตัน วอลเลย์บอล และกีฬาอื่นๆอีกมากมาย คุณจะได้สัมผัสประสบการณ์การชมการแข่งขันที่เป็นมิตรและคล้ายกันกับการมาชมแบบสดๆ เพียงแต่คุณอยู่ที่บ้านกับเพื่อนๆในคณะ ทั้งยังสามารถวางเดิมพันเพื่อเพิ่มความตื่นเต้นในการชมการแข่งขันได้อีกด้วย
This is my first time pay a quick visit at here and i am really happy to read everthing at one place
Pretty! This has been a really wonderful post. Many thanks for providing these details.
I very delighted to find this internet site on bing, just what I was searching for as well saved to fav
Nice post. I learn something totally new and challenging on websites
Good post! We will be linking to this particularly great post on our site. Keep up the great writing
Pretty! This has been a really wonderful post. Many thanks for providing these details.
To the theinsightnewsonline.com admin, You always provide clear explanations and definitions.
Dear theinsightnewsonline.com admin, You always provide great examples and real-world applications, thank you for your valuable contributions.
Hi theinsightnewsonline.com admin, Your posts are always on topic and relevant.
Hello theinsightnewsonline.com admin, Your posts are always well-timed and relevant.
Dear theinsightnewsonline.com administrator, Thanks for the well-structured and well-presented post!