After severe breach, Uber says companies operational – KION546

By FRANK BAJAK
AP Expertise Author

The ride-hailing service Uber stated Friday that every one its companies are operational following what safety professionals have been calling a significant knowledge breach. It stated there was no proof the hacker received entry to delicate person knowledge.

What seemed to be a lone hacker introduced the breach on Thursday after apparently tricking an Uber worker into offering credentials.

Screenshots the hacker shared with safety researchers point out this particular person obtained full entry to the cloud-based techniques the place Uber shops delicate buyer and monetary knowledge.

It isn’t recognized how a lot knowledge the hacker stole or how lengthy they have been inside Uber’s community. Two researchers who communicated instantly with the particular person — who self-identified as an 18-year-old to one in all them— stated they appeared enthusiastic about publicity. There was no indication they destroyed knowledge.

However information shared with the researchers and posted broadly on Twitter and different social media indicated the hacker was in a position to entry Uber’s most vital inner techniques.

“It was actually dangerous the entry he had. It’s terrible,” stated Corbin Leo, one of many researchers who chatted with the hacker on-line.

He stated screenshots the particular person shared confirmed the intruder received entry to techniques saved on Amazon and Google cloud-based servers the place Uber retains supply code, monetary knowledge and buyer knowledge comparable to driver’s licenses.

“If he had keys to the dominion he may begin stopping companies. He may delete stuff. He may obtain buyer knowledge, change individuals’s passwords,” stated Leo, a researcher and head of enterprise growth on the safety firm Zellic.

Screenshots the hacker shared — a lot of which discovered their approach on-line — confirmed they’d accessed delicate monetary knowledge and inner databases. Amongst them was one by which the hacker introduced the breach on Uber’s inner Slack collaboration ssytem.

Sam Curry, an engineer with Yuga Labs who additionally communicated with the hacker, stated there was no indication that the hacker had executed any harm or was enthusiastic about something greater than publicity. “My intestine feeling is that it looks as if they’re out to get as a lot consideration as potential.”

Curry stated he spoke to a number of Uber workers Thursday who stated they have been “working to lock down every part internally” to limit the hacker’s entry. That included the San Francisco firm’s Slack community, he stated.

In an announcement posted on-line Friday, Uber stated “inner software program instruments that we took down as a precaution yesterday are coming again on-line.”

It stated all its companies — together with Uber Eats and Uber Freight — have been operational.

The corporate didn’t reply to questions from The Related Press together with about whether or not the hacker gained entry to buyer knowledge and if that knowledge was saved encrypted. The corporate stated there was no proof that the intruder accessed “delicate person knowledge” comparable to journey historical past.

Curry and Leo stated the hacker didn’t point out how a lot knowledge was copied. Uber didn’t suggest any particular actions for its customers, comparable to altering passwords.

The hacker alerted the researchers to the intrusion Thursday through the use of an inner Uber account on the corporate’s community used to submit vulnerabilities recognized by its bug-bounty program, which pays moral hackers to ferret out community weaknesses.

After commenting on these posts, the hacker offered a Telegram account handle. Curry and different researchers then engaged them in a separate dialog, the place the intruder offered screenshots of varied pages from Uber’s cloud suppliers to show they broke in.

The AP tried to contact the hacker on the Telegram account, however acquired no response.

Screenshots posted on Twitter appeared to substantiate what the researchers stated the hacker claimed: That they obtained privileged entry to Uber’s most crucial techniques by social engineering. Successfully, the hacker found the password of an Uber worker. Then, posing as a fellow employee, the hacker bombarded the worker with textual content messages asking them to substantiate that they’d logged into their account. In the end, the worker caved and offered a two-factor authentication code the hacker used to log in.

Social engineering is a well-liked hacking technique, as people are typically the weakest hyperlink in any community. Youngsters used it in 2020 to hack Twitter and it has extra not too long ago been utilized in hacks of the tech corporations Twilio and Cloudflare.

Uber has been hacked earlier than.

Its former chief safety officer, Joseph Sullivan, is presently on trial for allegedly arranging to pay hackers $100,000 to cowl up a 2016 high-tech heist by which the non-public info of about 57 million prospects and drivers was stolen.

Leave a Comment