An 18-year-old hacker has taken responsibility for hacking Uber and the details are not looking good for the rideshare company.
Tweet may have been deleted
On Thursday night, Uber announced that it had suffered a "cybersecurity incident" and that it was working with law enforcement on the issue. A reportin the New York Timesdetailed the "incident" as a data breach that had taken many of Uber's internal systems offline. As many more details have leaked from Uber employees, however, we now know much more about what happened.
SEE ALSO: 5 damning revelations from the Uber FilesSo, how did it go down? An 18-year-old hacker deployed basic social engineering techniques targeting an Uber employee. The hacker told the New York Timesthat he simply posed as an IT worker from corporate in a text message and was able to convince the employee to send over a password that gave him access.
"This is yet another example of what attack after attack has shown: social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works," said Josh Yavor, chief information security officer for the cloud security company Tessian, in a statement to Mashable. "We keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords."
On top of the simplicity of the hack, there's another incredible facet to this breach: Uber didn't know it was hacked until the teen hacker announcedhimself in the company's Slack channel.
Tweet may have been deleted
"Hi @here," the hacker's message began. "I announce i am a hacker and uber has suffered a data breach."
The hacker proceeded to run down some of the company's internal systems that were compromised, like Slack for example, and ended his message by calling out Uber for underpaying its drivers.
Uber employees, at first, thought the whole thing was a joke.
Sam Curry, a staff engineer at Yuga Labs, the company behind the Bored Ape Yacht Club NFT project, sharedadditional information about the hack which he says he received from a contact at Uber.
According to Curry's source, Uber's domain admin, Amazon Web Services admin, and GSuite were among some of the company accounts that were compromised. Screenshots, allegedly from the hacker, quickly spread showing his access to these services.
Tweet may have been deleted
"Anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers,” explained Curry's Uber source.
Related Stories
- Uber gives users option to contact ADT with safety concerns
- Uber drops mask requirements in some cities including New York and D.C.
- Uber reveals rider ratings breakdown for first time
- Uber leaked info on 57 million people—then tried to cover it up
Uber also quickly warned its employees to stay away from Slack, but according to Curry's contact, many people in the company kept logging back on to check out everyone's joke responses.
Tweet may have been deleted
In its report on the hack, The Verge highlighted a Twitter thread from security researcher Corben Leo who got a bit technical with how the hacker was able to gain access to so many internal systems. Basically, once the employee sent his password to the teen, the young hacker was able to access the company VPN, scan the intranet, and find Powershell scripts containing credentials for multiple services.
Tweet may have been deleted
"Gaining entry to private data inside VPNs needs to be difficult and behind strict protections," explained Jack Moore, global cyber security advisor at cybersecurity company ESET, in a statement provided to Mashable. "Using a simple SMS as a vehicle to hack into their systems now leaves Uber with a lot of questions about how much data was compromised via such an easy method.”
Moore said that the attack should "highlight once again the importance of training staff to remain eagle eyed and with the ability to spot targeted phishing attempts and double check before handing over any sort of credentials."
This isn't the first time Uber has been hacked. Back in 2016, a 20-year-old was responsible for a security breachthat affected 57 million Uber customers around the world. This time time around, however, Uber says that sensitive user data wasn't compromised.