uber data breach case study 2022

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

• Security Ratings

Data Leaks Detection

• Integrations

AI Autofill

• Financial Services

eBooks, Reports, & more

What caused the uber data breach in 2022.

Edward Kost

The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber’s network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via What’s App and, while pretending to be a member of Uber’s security, asked the employee to approve the MFA notifications being sent to their phone. The hacker then sent a flood of MFA notifications to the employee’s phone to pressure them into succumbing to this request. To finally put an end to this notification storm, the Uber employee approved an MFA request, granting the hacker network access, which ultimately led to the data breach.

After completing the attack, the hacker compromised an Uber employee’s Slack account and announced the successful breach to the entire company.

This isn’t the first time Uber has been hacked. In 2016, two hackers breached Uber’s systems , accessing names, email addresses, and phone numbers of 57 million users of the Uber app.

What Data Did the Hacker Access?

After successfully connecting to Uber’s intranet, the hacker gained access to the company’s VPN and discovered Microsoft Powershell scripts containing the login credentials of an admin user in Thycotic - the company’s Privileged Access Management (PAM) solution . This discovery significantly increased the severity of the breach by facilitating full admin access to all of Uber’s sensitive services, including DA, DUO, Onelogin, Amazon Web Services (AWS), and GSuite.

The hacker also allegedly accessed Uber’s bug bounty reports which usually contain details of security vulnerabilities yet to be remediated.

The 18-year-old hacker, believed to be associated with the cybercriminal group, Lapsus$, revealed the details of the attack in a conversation with cybersecurity researcher Corben Leo .

Was any Sensitive User Data Stolen During the Uber Breach?

Despite the deep level of compromise the hacker achieved, no evidence of customer data theft has been announced. This is likely because the hacker wasn’t intent on causing harm but was, rather, chasing the thrill of a successful cyberattack and the hacker community respect that comes with it.

Had the hacker been motivated by financial gain, he would have likely sold Uber’s bug bounty reports on a dark web marketplace. Given the devastating data breach impact that’s possible with the findings of a bug bounty program, it would have sold for a very high price.

To say that Uber is lucky this hacker wasn’t an actual cybercriminal is a significant understatement. The company came so close to a complete system shutdown. From a cybersecurity perspective, it seems almost unbelievable that after taking complete control of Uber’s systems, the hacker just dropped everything and walked away. Without any security obstacles left to overcome, it would have been so easy to tie off the breach with a quick installation of ransomware.

Given Uber’s poor reputation for handling extorsion attempts, thankfully, this didn’t happen. When Uber was breached in 2016, the company paid the cybercriminals their $100,000 ransom in exchange for deleting their copy of the stolen data. Then, in an attempt to conceal the event, the company forced the hackers to sign a non-disclosure agreement and made it appear like the ransom payment was an innocuous reward within the company’s bug bounty program.

4 Key Lesson From the Uber Data Breach

Several critical cybersecurity lessons can be learned from the Uber data breach. By applying them to your cybersecurity efforts, you could potentially avoid suffering a similar fate.

1. Implement Cyber Awareness Training

The fact that the Uber employee eventually gave into the flood of MFA requests in the initial stage of the attack is evidence of poor awareness of a common MFA exploitation tactic known as MFA Fatigue. Had the Uber employee been aware of this tactic, they would have likely reported the threat rather than falling victim to it, which would have prevented the breach from happening. The hacker also utilized social engineering techniques to fool the Uber employee into thinking they were a member of Uber’s security team, which is another common cyberattack tactic. 

Implementing cyber awareness training will equip your staff to recognize the common cyberattack methods that made this breach possible - MFA fatigue and social engineering.

The following free resources can be used to educate your employees about common cyber threats and the importance of cybersecurity:

• What is Phishing?
• What is Ransomware-as-a-Service?
• What is Malware?
• What is a Cyber Threat?
• Why is Cybersecurity Important?
• What is a Data Breach?

2. Be Aware of Common MFA Exploitation Methods

Not all Multi-Factor Authentication protocols are equal. Some are more vulnerable to compromise than others. Your cybersecurity teams should compare your current MFA processes against common exploit tactics and, if required, upgrade the complexity of authentication protocols to mitigate exploitation.

Learn about common MFA bypass methods >

3. Never Hardcode Admin Login Credentials Anywhere (Ever)

Probably the most embarrassing cybersecurity blunder in this incident is the hardcoding of admin credentials inside a Powershell script. This meant that the potential of an unauthorized user accessing uber’s sensitive systems was always there - all that was required was for someone to read the Powershell script and discover admin credentials contained therein.

This security flaw would have been avoided if secure coding practices had been followed. Admin credentials should always be stored securely in a password vault and certainly never hardcoded anywhere.

4. Implement a Data Leak Detection Service

If the Uber hacker had more malicious intentions, customer data woud have been stolen, published on the dark web, and accessed multiple times by cybercriminals before Uber even realized it was breached. It’s crucial for organizations to have a safety net in place for detecting dark web data leaks from undetected data breaches, from both first-hand and third-party attacks.

A data leak detection service notifies impacted businesses when sensitive data leaks are detected on the dark web so that cybersecurity teams can secure compromised accounts before they’re targeted in follow up attacks.

Learn how data leak detection can reduce the impact of ransomware attacks.

See how your organization's security posture compares to Uber's.

View Uber's security report .

Learn about other Famous Data Breaches:

• What Caused the Optus Data Breach?
• What Caused the Medicare Data Breach?
• How did LAUSD Get Hacked?
• How did Plex Get Hacked?
• How did Cash App Get Hacked?

Reviewed by

Kaushik Sen

Ready to see upguard in action, join 27,000+ cybersecurity newsletter subscribers, a complete guide to data breaches.

Related posts

How to prevent data breaches in 2024 (highly effective strategy), the 72 biggest data breaches of all time [updated 2024].

9 Ways to Prevent Third-Party Data Breaches in 2024

What are cloud leaks, what is a supply chain attack examples & prevention strategies, zero trust as a defence against supply chain attacks.

• UpGuard Vendor Risk
• UpGuard BreachSight
• Product Video
• Release notes
• SecurityScorecard
• All comparisons
• Security Reports
• Instant Security Score
• Third-Party Risk Management
• Attack Surface Management
• Cybersecurity

Uber Users: What You Need to Know about Last Month’s Data Breach

MET cybercrime expert on how hacker likely gained access to company data and systems

Educating employees is crucial to prevent hacks, BU cybersecurity expert says. File photo by Jeff Chiu/AP Photo

Lindsay Shachnow (COM’25)

Last month, the internal databases of American multinational ride-share company Uber were hacked . The unnamed 18-year-old who claimed responsibility for the hack said Uber’s ineffective security measures made the breach possible. The hacker, who was eventually arrested and is in police custody, is said to have gained access to Uber’s secure data through “social engineering,” which means manipulating or deceiving someone, often with email or phone calls, to gain access to personal or financial information. These manipulation methods are becoming commonplace in the world of cybercrime. By posing as a corporate information technology worker, the hacker claimed to have convinced an Uber contractor to reveal the password to Uber’s systems. Uber says it is also possible the hacker bought the corporate password on the dark web.

According to Uber, having obtained the contractor’s password, the hacker sent repeated log-in requests to the contractor’s account and was then able to bypass Uber’s two-factor log-in authentication—a system where a user is granted access after electronically confirming their identity twice—when the contractor finally accepted the authentication. The hacker was also admitted to the Uber Slack account and posted a message that read: “I announce I am a hacker and Uber has suffered a data breach.”

A security update from Uber says they believe the cybercrime group Lapsus$ is responsible for the attack. “We’re working with several leading digital forensics firms as part of the investigation,” Uber writes. “We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”

BU Today spoke with Kyung-shick Choi (MET’02), a Metropolitan College professor of the practice and director of its Cybercrime Investigation & Cybersecurity programs , about the implications of the hack and how companies and users can protect themselves. 

This interview has been edited for length and clarity.

with Kyung-shick Choi

Bu today: can you briefly describe the scope of uber’s security breach.

Choi: Uber’s security breach is quite an interesting case, because unlike other major breaches, I wonder if the hacker attained what they really wanted to attain. I was expecting some sort of ransomware attack so they could seek financial gain. But this time, it looks like they didn’t really get much. Of course, maybe Uber’s cybersecurity quickly responded to the incident, but they clearly stated they hacked right on the Slack. And so to me, that’s much more what the motivation could be. They already identified the potential suspect, Lapsus$. It’s a Brazilian hacker group—I presume a group of teenagers. We call them “cyber punks.” They have been really active recently and are gaining fame. I think maybe that’s why they were aiming at such a huge company.

BU Today: Can you talk about their methods, how they possibly gained access?

Choi: According to Uber, the hacker group purchased the log-in password from the dark web. It’s very common that hackers are trading, selling, and buying older password and log-in names. So consider, if they are cyber punks and not extremely skillful, just getting the credential through the dark web is the easiest way to commit crime, rather than a complicated hacking process. So maybe that’s what’s happening in this case.  Now, Uber has a two-factor authentication system, and so that’s double protection. With two-factor authentication, you get that notification and you have to press the buttons. So maybe [an Uber worker] thought, okay, I did it, and so they approve. So that’s one way, and that’s pure luck to be honest, if [the hackers] did it that way. Another way, if they’re really dedicated hackers, [is to] get deeper into the system. And then they [would] escalate the privilege and change the information to switch the contact to their own. It has to be a burner phone so that you can get your own authentication using the burner. That’s what pretty skillful hackers do, but it looks like the [Uber hackers were] not at that level. That’s my assumption. But normally cyber punks try and try and try, and can kind of luckily get in.

BU Today: What are the potential ramifications for users and their data as a result of the hack?

Choi: Personal data is so important. Every single person’s data can be weaponized and used against them. Your data can be used for criminal purposes, for account takeover, or financial gain. And then, of course, [hackers] can sell the information. And that’s why privacy is so important, in that we really have to protect ourselves.  I can expand it to sexual crime. And so if hackers find out the date of birth, location, and all of that, they can stalk people and then even commit sextortion. I’ve seen those cases a lot.  People think, oh, this is just one hack. But it’s not just one hack. The damage could be substantial to individuals, families, and the community at large. That’s why we have to be really cautious.

BU Today: What data is believed to be compromised by the attack?

Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information. So, I think [Uber and the authorities] are currently investigating that and what types of information were compromised. According to them, nonsensitive data was exposed, but we don’t know until we really see what happened. Credit card information is encrypted and so that information is safe, and other travel information is secure. I think right after the incident [Uber] reported it to law enforcement and now the FBI is involved. I think [Uber] did the right thing, so once the FBI gets involved and they do a very extensive investigation, we will receive much more accurate information.

BU Today: Do you think Uber handled the situation well?

I didn’t see the evidence. If I investigated it, then maybe I could see the log file and when they really got hacked. In most hacking incidents, especially on a big scale, the corporations don’t report the victimization right away. I hope Uber reported it right away. At least the suspect and the hacking group left a message, but we don’t know when they really started. And so maybe they spent extensive time, maybe a month of time, until they got to that stage.  Commonly, major cases are similar in that way because [hacked companies] don’t want to ruin their reputation from the corporate side. They don’t want to give bad images to the public. Who’s going to use Uber if they constantly get hacked?  In this case, [Uber] saw the sign of the hack and they reported it to law enforcement. I think that’s the right way to do it. And that’s why maybe the damages, according to Uber, are minimal. Although, we don’t know yet.

BU Today: Are other rideshare apps vulnerable to similar attacks?

Of course. Because of the tendency of hackers, if they are professional hackers, they will never attack headquarters, because headquarters have a lot of security built right there. All the major hacks, if you really examine them, are not really happening by directly hacking into the main server. [Hackers] are always finding the small vendors. The size of the company could be very small. That’s a vulnerability right there. That’s also how you handle digital information, and that’s very important.  But definitely Lyft and all the others should be careful. So that means they need to educate their employees.

BU Today: What steps should Uber and other rideshare apps take to prevent similar attacks in the future?

I have my own theory and my theory has become dominant in computer crime victimization. It’s called “cyber-routine activities theory.” Very simple. There are two factors that contribute to computer crime victimization. So either online behavior, that means a human error, and/or there’s a security issue. Business emails getting compromised is always the number one computer crime victimization throughout the history of the internet or email.  Then another factor is cybersecurity. What if you don’t have basic protection? What if you don’t have the internal security management? Meaning, do you have a strong policy in place in your company? If something happens, incident response is so important. If you don’t have an incident response policy…they have everything. You just have to wait for law enforcement and watch the hackers stealing every single thing. You cannot do anything because you don’t know what to do.  Also important is educating employees. It’s critical. Many [hacking] cases, I would say close to 50 percent, come from an insider. So that’s why you have to maintain all the security credentials, especially when [employees] leave the company. Revenge is a huge factor. [If] they’re not just leaving nicely…[if] they’re doing something with it, maybe selling the information, or sharing all the credentials, or selling it to the dark web.

BU Today: It’s believed the hacker potentially gained access to Uber’s internal systems through a psychological manipulation tactic referred to as social engineering. How can Uber and other companies better prepare and train their employees to identify these persuasive techniques?

The effective training has to be hands-on training. So statistically speaking, hands-on training really boosts your long-term memory. This type of training is essential so that you feel it when you click it and see what happens. Our programs at MET are designed to train our future law enforcement in cybercrime investigation and cybersecurity. We’re creating a scenario. So we have a suspect and a victim. Students really feel it. They are investigating the case and see how [the hacker] sends a phishing email and they really observe. Also, technology quickly evolves, almost everyday. And then our online behavior quickly adapts. The companies should think about that and the changing technology. Companies should really know their employee populations and the characteristics for using social media, for example.

BU Today: How can users protect themselves and their personal data when using rideshare apps?

Anytime you hear an incident has happened, the first thing you have to do is change your passwords. If you see anything happen, like a hacking incident from the company side, I highly recommend changing passwords so [hackers] cannot do anything further.  And so of course, never use the password you have used before. If I were an Uber customer, I would have a very strong password. And be careful when you download apps, by making sure you are downloading genuine apps, because there are lots of replicated ones.

Explore Related Topics:

• Cybersecurity
• Digital Learning
• Public Safety
• Share this story
• 4 Comments Add

Lindsay Shachnow (COM’25) Profile

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

There are 4 comments on Uber Users: What You Need to Know about Last Month’s Data Breach

Excellent interview with Dr. Choi. Very important points to consider regarding doing what we can to take responsibility to be more cyber-safe.

Dr. Choi states, “Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information.”

I have never seen invoices or financial information stored in Slack. Can someone elaborate?

Other patterns to look for:

Get an email from or about old bank accounts or companies you’ve had dealings with. This could be an indicator of a compromise. One should think “Did I initiate this?” If you didn’t be suspect of that information.

As a active defender in cybersecurity, I can say we the fronts are being fought with very complex hacking methods and defenses. One that often get skipped is the human element.

We can secure information in a variety of ways, and almost all of them can be undone with the human factor. People may very well still be our best line of defense against cyber threats.

Protection against the threat actors is not just the responsibility of cybersecurity professionals, we work with you, to help protect you. The better informed our human firewalls are the more armed they to stop these threats, even the lazy ones.

@emily “I have never seen invoices or financial information stored in Slack. Can someone elaborate?”

I’m going to assume a lot here: Slack does have inherent security protocols, that companies often deem “internal”. So with an internal slack channel companies and employees feel these pathways are safe to divulge sensitive information. This is understandable for the following: Teams are separated with remote work and pandemics Teams maybe separated by buildings or someone is out of the office etc..

All viable reasons, but while the measure are there to protect the information systems, it doesn’t take into account “what if someone else sees it” from over the shoulder to screen capture.

So good security best practice is even in slack (secure channels) the assumption should be ” is this information valuable to someone other than the intended recipient?” If your answer is YES?

ENCRYPT or DO NOT POST IT in slack. Logs exists for many reasons, but historical data that is not redacted, backed up, or secured is always a risk.

Back to the human element. Its easier for the team to work remotely if we can post invoices in slack for quick viewing. That same ease of workflow, also provides ease of access to information that should be guarded,

Even if the intent is to improve, the risk of that improvement should be mitigated.

I am an uber driver and I feel as if my phone has been hacked ever since the end of August 2022. My phone company, us cellular can’t seem to figure out what is going on with my service not working. Even a new phone didn’t fix the problem.

Post a comment. Cancel reply

Your email address will not be published. Required fields are marked *

Latest from BU Today

Join the citywide festivities for one boston day: discover events across town, seven things to know as bu begins 2024 frozen four, school of visual arts mfa thesis exhibitions feature work by 61 artists, bu’s sargent college named nation’s top occupational therapy program in u.s. news 2024 best graduate schools rankings, rats does boston need a “rat czar”, pov: you’re using the wrong door—and there’s a reason, your everything guide to living off campus, bu marks 50 years of changing lives behind bars, $100,000 awarded to student entrepreneurs at sha’s annual hospitality leadership summit, bu’s earth day celebrations, tenth annual giving day raises more than $3.8 million, bu freshman macklin celebrini named a hobey baker award finalist, photos of the month: a look back at march at bu, what’s hot in music this month: new releases, local concerts, the weekender: april 4 to 7, could this be the next snl bu student’s wicked smaht comedy troupe performs this weekend, determined to make the world a better place, giving day 2024: bu celebrates 10 years of giving back, your everything guide to landing an internship, building a powerhouse: how ashley waters put bu softball on the map.

• Mobile Site
• Staff Directory
• Advertise with Ars

Filter by topic

• Biz & IT
• Gaming & Culture

Front page layout

UBER HACKED —

Uber was breached to its core, purportedly by an 18-year-old. here’s what’s known, “i announce i am a hacker and uber has suffered a data breach,” intruder says on slack..

Dan Goodin - Sep 16, 2022 5:29 pm UTC

Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which  broke the story .

It didn’t take long for independent researchers, including Bill Demirkapi , to confirm The New York Times coverage and conclude that the intruder likely gained initial access by contacting an Uber employee over WhatsApp.

The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far 👉 1/N — Bill Demirkapi (@BillDemirkapi) September 16, 2022

After successfully obtaining the employee’s account password, the hacker tricked the employee into approving a push notification for multifactor authentication. The intruder then uncovered administrative credentials that gave access to some of Uber’s crown-jewel network resources. Uber responded by shutting down parts of its internal network while it investigates the extent of the breach.

It’s not yet clear precisely what data the hacker had access to or what other actions the hacker took. Uber stores a dizzying array of data on its users, so it’s possible private addresses and the hourly comings and goings of hundreds of millions of people were accessible or accessed.

Here’s what’s known so far.

How did the hacker get in?

According to the NYT, the above-linked tweet thread from Demirkapi, and other researchers, the hacker socially engineered an Uber employee after somehow discovering the employee’s WhatsApp number. In direct messages, the intruder instructed the employee to log in to a fake Uber site, which quickly grabbed the entered credentials in real time and used them to log in to the genuine Uber site.

Uber had MFA, short for multifactor authentication, in place in the form of an app that prompts the employee to push a button on a smartphone when logging in. To bypass this protection, the hacker repeatedly entered the credentials into the real site. The employee, apparently confused or fatigued, eventually pushed the button. With that the attacker was in.

After rifling around, the attacker discovered powershell scripts that an admin had stored that automated the process of logging in to various sensitive network enclaves. The scripts included the credentials needed.

What happened next?

The attacker reportedly sent company-wide texts on Uber Slack channels, announcing the feat.

“I announce I am a hacker and Uber has suffered a data breach,” one message read, according to the NYT. Screenshots provided evidence that the individual had access to assets, including Uber’s Amazon Web Services and G Suite accounts and code repositories.

It remains unclear what other data the hacker had access to and whether the hacker copied or shared any of it with the world at large. Uber on Friday updated its disclosure page to say: "We have no evidence that the incident involved access to sensitive user data (like trip history)."

What do we know about the hacker?

Not much. The person claims to be 18 years old and took to Uber Slack channels to complain that Uber drivers are underpaid. This, and the fact that the intruder took no steps to conceal the breach, suggest that the breach is likely not motivated by financial gain from ransomware, extortion, or espionage. The identity of the individual remains unknown so far.

What is Uber doing now?

The company acknowledged the breach and is investigating.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. — Uber Comms (@Uber_Comms) September 16, 2022

Did an 18-year-old really access the crown jewels of one of the world’s most sensitive companies? How can this be?

It’s too soon to say for sure, but the scenario seems plausible, even likely. Phishing attacks remain one of the most effective forms of network intrusion. Why bother with expensive and complex zero-day exploits when there are much easier ways to trespass?

Further Reading

Does this mean mfa using one-time passwords or pushes are useless.

This sort of MFA will protect users if their password is compromised through a database breach. But as has been demonstrated repeatedly, they are woefully inadequate at stopping phishing attacks. So far, the only forms of MFA that are phishing-resistant are those that comply with an industry standard known as FIDO2. It remains the MFA gold standard.

Many organizations and cultures continue to believe that their members are too smart to fall for phishing attacks. They like the convenience of authenticator apps as compared to FIDO2 forms of MFA, which require the possession of a phone or physical key. These types of breaches will remain a fact of life until this mindset changes.

What is the reaction to the breach so far?

Uber’s stock price was down about 4 percent on Friday, amid a broad sell off that sent share prices of many companies even lower. The Dow Jones Industrial Average dropped 1 percent. The S&P 500 and Nasdaq Composite fell 1.2 percent and 1.6 percent, respectively. It’s not clear what’s driving Uber shares lower and what effect, if any, the breach has in the drop.

Promoted Comments

Reader comments, channel ars technica.

More From Forbes

Uber hack update: was sensitive user data stolen & did 2fa open door to hacker.

• Share to Facebook
• Share to Twitter
• Share to Linkedin

Uber has comfirmed it is investigating a cybersecurity incident

September 18 update below. This post was originally published on September 15

The New York Times is reporting that Uber has been hacked . Here's what we know so far concerning this breaking story.

The ride-hailing and food delivery company has suffered a systems breach, according to the report, with employees unable to access internal tools such as Slack. One employee resource page is said to have had a not safe for work image posted to it by the hacker. A bug bounty hunter and security engineer not involved in the alleged hack has posted a comment that is attributed to an Uber employee, who wished to remain anonymous, which claims they were told to stop using Slack and "anytime I request a website, I am taken to a page with a pornographic image" and the message 'f*** you wankers.'

Another bug bounty hunter has tweeted a screenshot , allegedly from the hacker, where they state, "I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen..." with a hashtag of #uberunderpaisdrives

What has Uber said about the hack?

I reached out to Uber for a comment and was pointed to an official statement posted to Twitter which reads: "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

Best Travel Insurance Companies

Best covid-19 travel insurance plans.

I have seen messages from someone who claims various Uber admin accounts are under their control. A New York Times reporter says that the hacker tells them he is 18 years old and hacked the Uber systems because "they had weak security." He further claims this was accomplished through the social engineering of an Uber employee to obtain login credentials.

September 18 update

Uber still hasn't had much to say publicly about the incident which appears to have allowed extensive access to internal systems. This is not all that surprising as investigations are ongoing. Most nearly all the evidence of the hack has come from the alleged hacker themselves, in the form of multiple postings and screenshots. However, the Uber and Uber Eats PR team, posting via the @Uber_Comms Twitter account and at the Uber Newsroom online, have released a security update .

Uber confirms incident and says no evidence of sensitive user data exposure

This confirms that the investigation and response efforts continue and states that Uber has "no evidence that the incident involved access to sensitive user data (like trip history)" while confirming all Uber services are operational. The update also says that internal software tools that were initially taken offline are also back in operation.

Which is great news as far as it goes. The problem is that the more cynical of readers may cite the very specific language used as not providing real clarity. Saying 'no evidence' is not the same as saying it hasn't happened, combine that with 'sensitive user data' that is only defined in the statement as being 'like trip history', and there are more questions than answers here. Especially given the lack of any statement surrounding the extent of the network breach, the systems accessed, and the level of access acquired by the hacker. One can only hope that such clarity is provided in the coming days and weeks. There hasn't been any notification in my Uber app on the iPhone, so one assumes that there will be users who are blissfully unaware that any cybersecurity breach has even happened.

Did MFA fatigue open the door for the Uber hacker?

Where there does appear to be a little more clarity is in the initial attack technique likely used to pry the Uber system’s front door open. The alleged hacker has boasted about how they used what is known in the cybersecurity industry as MFA fatigue as a weapon. Multi-Factor Authentication, which most non-technical users will think of as Two-Factor Authentication (2FA) is a worthy layer in overall network defenses. However, the hacker has claimed that Uber was using 'push authentication' (where the user is asked if it's them logging in on a device such as their laptop or smartphone), and a targeted employee was spammed with these "for over an hour." The hacker says the user was then contacted via WhatsApp under the guise of being from the Uber IT team and told they needed to accept the authentication request in order to stop them from continuing. "He accepted and I added my device," the hacker claims.

Abhay Bhargav, CEO at AppSecEngineer, says that it appears the MFA phishing attack "led to a PowerShell script getting discovered, with admin credentials to their Thycotic PAM (Privileged Access Management) tool. With all credentials being part of this PAM solution, now the entire org was compromised because the PAM had access to Amazon Web Services (AWS), Google Workspace, Slack and more."

Uber security vulnerability reports could have been stolen

Bleeping Computer has been in contact with the alleged hacker and has seen screenshots showing access to "critical Uber IT systems" that include security software, Amazon Web Services console, Google Workspace email admin dashboard and the aforementioned Slack server. It would also appear that the hacker gained access to Uber's HackerOne vulnerability bug bounty account, leaving comments on a number of report tickets. This could yet prove to be one of the most valuable resources from the attacker's perspective, as it has been claimed that Uber's vulnerability reports were downloaded. Marten Mickos, the HackerOne CEO, has stated that the Uber account has been locked down and the company is working with Uber to assist in the investigation.

"This attack has left Uber with a significant amount of data leaked with the potential of including customer and driver’s personal data," Jake Moore, global cyber security advisor at ESET, said. "This is seemingly the work of a clever socially engineered attack. Gaining entry to private data inside VPNs needs to be difficult and behind strict protections. This leaves Uber with a lot of questions about how much data was compromised via such an easy method."

It is not known what, if any, customer data might have been accessed at this point in time. This is a developing story, and I will keep updating it as more details emerge.

• Editorial Standards
• Reprints & Permissions

• Skip to main content
• Keyboard shortcuts for audio player

After a serious breach, Uber says its services are operational again

The Associated Press

An Uber sign is displayed at the company's headquarters in San Francisco on Monday. Jeff Chiu/AP hide caption

An Uber sign is displayed at the company's headquarters in San Francisco on Monday.

The ride-hailing service Uber said Friday that all its services are operational following what security professionals were calling a major data breach. It said there was no evidence the hacker got access to sensitive user data.

What appeared to be a lone hacker announced the breach on Thursday after apparently tricking an Uber employee into providing credentials.

Screenshots the hacker shared with security researchers indicate this person obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long they were inside Uber's network. Two researchers who communicated directly with the person — who self-identified as an 18-year-old to one of them— said they appeared interested in publicity. There was no indication they destroyed data.

But files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber's most crucial internal systems.

"It was really bad the access he had. It's awful," said Corbin Leo, one of the researchers who chatted with the hacker online.

He said screenshots the person shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver's licenses.

"If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people's passwords," said Leo, a researcher and head of business development at the security company Zellic.

Screenshots the hacker shared — many of which found their way online — showed they had accessed sensitive financial data and internal databases. Among them was one in which the hacker announced the breach on Uber's internal Slack collaboration ssytem.

Sam Curry, an engineer with Yuga Labs who also communicated with the hacker, said there was no indication that the hacker had done any damage or was interested in anything more than publicity. "My gut feeling is that it seems like they are out to get as much attention as possible."

Curry said he spoke to several Uber employees Thursday who said they were "working to lock down everything internally" to restrict the hacker's access. That included the San Francisco company's Slack network, he said.

In a statement posted online Friday, Uber said "internal software tools that we took down as a precaution yesterday are coming back online."

It said all its services — including Uber Eats and Uber Freight — were operational.

The company did not respond to questions from The Associated Press including about whether the hacker gained access to customer data and if that data was stored encrypted. The company said there was no evidence that the intruder accessed "sensitive user data" such as trip history.

Curry and Leo said the hacker did not indicate how much data was copied. Uber did not recommend any specific actions for its users, such as changing passwords.

The hacker alerted the researchers to the intrusion Thursday by using an internal Uber account on the company's network used to post vulnerabilities identified through its bug-bounty program, which pays ethical hackers to ferret out network weaknesses.

After commenting on those posts, the hacker provided a Telegram account address. Curry and other researchers then engaged them in a separate conversation, where the intruder provided screenshots of various pages from Uber's cloud providers to prove they broke in.

The AP attempted to contact the hacker at the Telegram account, but received no response.

Screenshots posted on Twitter appeared to confirm what the researchers said the hacker claimed: That they obtained privileged access to Uber's most critical systems through social engineering. Effectively, the hacker discovered the password of an Uber employee. Then, posing as a fellow worker, the hacker bombarded the employee with text messages asking them to confirm that they had logged into their account. Ultimately, the employee caved and provided a two-factor authentication code the hacker used to log in.

Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter and it has more recently been used in hacks of the tech companies Twilio and Cloudflare.

Uber has been hacked before.

Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers $100,000 to cover up a 2016 high-tech heist in which the personal information of about 57 million customers and drivers was stolen.

• International edition
• Australia edition
• Europe edition

Uber’s ex-security chief faces landmark trial over data breach that hit 57m users

Joe Sullivan’s trial is believed to be the first case of an executive facing criminal charges over such a breach

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said at the time, adding that the company had investigated the delay and had fired two executives who had led the response to the breach, one of whom was Sullivan.

Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.

In court filings , federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.

That program was intended to incentivize hackers and security researchers to report vulnerabilities in exchange for cash rewards, but it did not allow for “rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems”, the complaint says.

The hackers in the 2016 breach were rewarded $100,000, the complaint says, more than any bounty the company had paid as part of the program until that point.

Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.

In 2018, months after he was fired, Sullivan contested any claims of a cover-up and said he was “surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up”.

Neither Sullivan nor Uber immediately responded to a request for comment.

The justice department complaint alleged that only Sullivan and the former Uber chief executive Travis Kalanick had knowledge of the full extent of the hack as well as a role in the decision to treat it as an authorized disclosure through the bug bounty program. However, as the New York Times first reported , the security industry is divided over whether Sullivan deserves to be held solely responsible for the breach. Some have questioned whether the role of other company executives and its board should be investigated as well, while others say Sullivan’s role in it was clear.

“I don’t know if Uber management knew about the concealment … or if Sullivan was directed to make the $100,000 payment to hide the breach. The trial will ferret all that out,” Jamil Farshchi, the chief information security officer at Equifax, wrote in a Linkedin post . “What I do know is that nobody is disputing that a breach of 57 million people occurred, Uber concealed it, and that Joe Sullivan … was involved in the concealment.”

The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall . Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles unified school district, the second-largest school district in the US, with a cyber-attack over Labor Day weekend.

• San Francisco
• Silicon Valley

Most viewed

• Share full article

Advertisement

Supported by

Guest Essay

The Uber Hack Exposes More Than Failed Data Security

By Bruce Schneier

Mr. Schneier is a security technologist and the author of 14 books, including the forthcoming “A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back.”

Uber was hacked this month. The company said that the attacker — a teenager possibly linked to the incident was just arrested i n London — most likely obtained the corporate password of an Uber contractor. Using that person’s access, the hacker gained access to some of Uber’s internal systems: internal Slack messages, a finance tool for invoices and the dashboard where the company’s security researchers report bugs and vulnerabilities. It’s a big deal, and an embarrassment to the company.

Uber has said that it believes that the attacker is affiliated with a hacking group called Lapsus$, whose members are mostly teenagers and which has recently targeted several technology companies. Uber also said it had not seen any evidence that user data was compromised during the incident. In the lawsuits that will invariably result, we will learn more about what happened.

But any litigation against the company, whether it be by government agencies like the Federal Trade Commission, or class-action lawsuits by shareholders or perhaps even customers, will focus on the proximate causes of the hack. More fundamental are the underlying causes of security breaches: Current economic and political forces incentivize companies to skimp on security at the expense of both personal and national security. If we are ever to have a hope of doing better, we need to change the market incentives.

When you’re a high-tech start-up company, you are likely to cut corners in a lot of areas. It makes business sense — your primary focus is to earn customers and grow quickly enough to remain in business when your venture capital funding runs out. Anything that isn’t absolutely essential to making the business work is left for later, and that includes security culture and practices. It’s a gamble: Spending money on speed and features rather than security is a more likely path to success than being secure yet underfunded, underfeatured, or — worst of all — a year later to market.

Security can be improved later, but only if necessary. If you’ve survived the start-up world and become a runaway success, you’ve had to scale to accommodate your customers or users. You’ve been forced to improve performance and reliability, because your new higher-profile customers demand more. You’ve had to make your internal systems work for your hundreds and maybe thousands of employees. You’re now an established company, and you had better look and act that way.

But in all of that, you’ve never had incentive to upgrade your security. The quick-and-dirty systems you built in the beginning still work, and your customers or users don’t know what’s going on behind the curtain. Your employees are expected not to tell anyone, like chefs being told to stay in the kitchen. And truth be told, it’s expensive and time-consuming to rebuild everything from the ground up with security in mind.

This is something I see again and again in companies, and not only in start-ups. It’s even the same thing that the former Twitter security chief Peiter Zatko (better known as Mudge) is accusing that company of doing. Companies large and small skimp on security when the market doesn’t reward doing any better. The result is that hackers have an easier time breaking into networks, and once they break in there are few controls that prevent them from accessing everything.

Some companies do manage to make the change. We saw it with Microsoft, when Bill Gates changed the company’s direction in 2002 with a now-famous memo . Google’s shift to a more robust security culture happened in 2010, after being hacked by attackers in China .

The lack of incentives obviously has profound implications for the security of all of our personal data, stored by a seemingly unknowable number of different companies who are all collecting dossiers on our movements and habits. It also has national security implications. We know that countries are stealing as much data as possible for their own purposes. China, in particular, is apparently using its resources collecting data on Americans in general. State-sponsored Chinese hackers are believed to be behind the theft of personal data on U.S. government employees, especially those with security clearances, from the U.S. Office of Personnel Management in 2015. Hackers suspected of working on behalf of the country’s civilian spy agency were also apparently behind the theft of data on 500 million guests from the Marriott hotel chain in 2018 and about 80 million former and current patients and employees from the health insurer Anthem in 2015.

In all of these cases, the victimized organizations could have very likely protected our data better, but the reality is that the market does not reward healthy security. Often customers aren’t even able to abandon companies with poor security practices, as many of them build “ digital moats ” to lock their users in. Customers don’t abandon companies with poor security practices. Hits to the stock prices quickly recover . It’s a classic market failure of a powerful few taking advantage of the many, and that failure is one that only representation through regulation can fix.

We need strong regulations that force organizations to maintain good security practices. The focus must be on resilient security for the user data entrusted to the company. Government regulation should not be involved (for example) if Uber loses the source code to its phone apps or its employee Slack channel. Government regulation should be involved if Uber loses data about the rides taken by its 100 million-plus users. (One risk of this data for Uber: It can be used to find one-night stands , for either fun or blackmail opportunities.)

Worries that any regulation will somehow quell innovation are overblown. Good security isn’t incompatible with features, agility or time to market. But even so, a smart internet-security regulatory regime will take a page from successful industry regulations such as banking, and tailor requirements to the size of the organization. Just as a small local bank doesn’t have to follow the same level of regulation that a large national bank does, or a jumbo jet has a more extensive preflight checklist than a single-engine two-seater, there’s no reason a small start-up with only a few customers has to follow the same rules as a Twitter or an Uber. And as a company becomes larger and more successful, its security requirements should increase because the impact of insecurity increases.

In 2020, Russian hackers breached the internet infrastructure company SolarWinds. SolarWinds followed the trajectory from start-up to established company. This particular hack was a national security disaster. The hackers were able to use their access to penetrate the computer networks of some 18,000 SolarWinds customers, including U.S. government agencies such as the Homeland Security Department and State Department, government contractors, nuclear research labs, I.T. companies, and nongovernmental agencies around the world. Here again, the market rewarded poor security practices in the name of short-term profits. If the government mandated better ones, things might have turned out differently.

Last week’s Senate Judiciary Committee hearing, “ Protecting Americans’ Private Information From Hostile Foreign Powers ,” further highlighted that personal data privacy is now a matter of national security. And while regulation isn’t a panacea — nothing is in the world of security — it will serve to align corporate incentives with our broader societal goals. It will keep us all safer against both hackers and foreign governments.

Bruce Schneier is a security technologist and the author of 14 books, including the forthcoming “A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back.” He is a fellow at the Belfer Center at the Harvard Kennedy School and at the Berkman Klein Center for Internet and Society at Harvard.

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips . And here’s our email: [email protected] .

Follow The New York Times Opinion section on Facebook , Twitter (@NYTopinion) and Instagram .

• Penetration Testing|The Ultimate Tool for Cyber Security Assessment
• Internal Network Penetration Testing| Are You Protected Against Internal Security Threats?
• Incident Response|Comprehensive Expert Help After a Security Incident
• Computer Forensics|Arm Your Legal Team with Digital Evidence
• Expert Witness Services|Build Your Case with Kevin's Expertise
• Security Awareness Training|Your Comprehensive Security Training Library
• Vulnerability Assessment|See Your System Through the Eyes of a Hacker
• Product Claims Testing|Get Unbiased Proof From the Best in the Business
• Red Team Operations|Evaluate Your Response to An Active Data Breach
• Social Engineering Strength Testing|Safeguarding Your Security From Human Manipulation
• The Art of Invisibility|The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
• Ghost in the Wires|My Adventures as the World's Most Wanted Hacker: A New York Times Bestseller
• The Art of Intrusion|The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
• The Art of Deception|Controlling the Human Element of Security
• About Kevin|Whether you call him famous or infamous, Kevin Mitnick is one of a kind.
• Global Ghost Team|The Best of the Best In Cyber Security and Pentesting, Handpicked for Your Team
• Our Clients|Our Legacy of Extraordinary Services for Extraordinary Clients
• Testimonials & Reviews|Approved Quotes about Kevin's Live Hacking Appearances
• Press Archives|The Latest Cybersecurity Articles & News About Kevin Mitnick & Mitnick Security
• Media Kit|Bureau-Friendly Material For Your Website, E-mail and Print Needs
• FAQs|Explore answers to commonly-asked questions from fans, clients, colleagues and everyone in between.
• Blog|The latest news from Kevin Mitnick and the Global Ghost Team
• Virtual Events|Unsurpassed Experience in Successful Online Events and Trainings
• Lockpick Business Card|Learn More About the Card That Opens Doors Around the World
• Submit a Proposal|Contact Kevin’s Team With Your Proposal or Business Opportunity
• Join the Team|Do You Want to Work With Us?

Uber Data Breach: What To Know About the 2022 Cybersecurity Attack

No matter how robust network security is, even the biggest companies fall victim to cyber attacks. These malicious attacks can be costly — to the tune of 4.3 million on average — but they also disrupt operations and hurt a company’s reputation. 

In fact, it is anticipated that cybercrime will cost the world $10.5 trillion annually by 2025. A recent breach at Uber reminds us of how social engineering attacks are on the rise and urges us to protect and train our employees to prevent such detrimental attacks. Below, we’ll dissect the Uber data breach and what you can do to avoid facing a similar devastating situation. 

So, What Happened at Uber?

On September 15, 2022, Uber employees were surprised to find an unauthorized user posting in their company’s slack channel. They had hacked their way into the account and left a message that read, “I announce I am a hacker and Uber has suffered a data breach.” Uber employees, who did not reveal their identities, admitted that it appeared as if the hacker breached multiple internal applications and accessed sensitive data. 

Although the suspected hacker, who is allegedly only 18 years old, has been arrested , the damage was done. The hacker had left an explicit image within Uber’s internal systems and exposed how they had hacked the company using social engineering . Uber is now having to launch their own internal investigation into the incident, and will more than likely have to enact a costly remediation plan.

How Did the Hacker Gain Access to Uber’s Internal Systems?

The Uber cybersecurity protocols would have probably been enough to prevent the data breach — if it weren’t for the use of social engineering. The hacker admitted on Twitter that they gained access to the company’s internal VPN by tricking an employee into handing it over. The hacker claimed they were a corporate information technology expert and needed the password. The threat actor also had access to credentials that allowed them to breach Uber’s AWS and G Suite accounts.

Social engineering — or the practice of using human emotion to get the victim to perform an action or give the threat actor needed information — is not uncommon in the cybersecurity world. In fact, many experts agree that untrained employees are your biggest area of vulnerability. The threat actor responsible for the Uber data breach has also claimed to have used social engineering when launching an attack against Rockstar Games .

Protect Your Company Against Incidents Like the Uber Data Breach 

Stay up to date with the latest social engineering techniques.

Although direct messaging and calling are popular social engineering techniques, it’s expected that the cybercrime trend of impersonating well-known companies through email phishing scams will continue to grow this year. To protect your organization, be aware of these trends and speak with a cybersecurity consultant if you feel your organization is vulnerable.

Test Your Network Vulnerabilities Regularly

Unfortunately, social engineering isn’t going away — which means you need to know if there are vulnerabilities within your network that can make a social engineering attack even more disastrous. For example, a threat actor who has gained access to your internal network with stolen login credentials may be able to move laterally within your organization’s internal framework and escalate their privileges with help from unpatched applications or outdated technologies.

Routine vulnerability assessments performed quarterly can help your organization’s private data stay private. An expert assessment can help identify false positives from vulnerability scans and provide a report with more information. An assessment report may include discovered vulnerabilities, a walkthrough of what was done, and research and solutions to better protect your organization.

Continuously Train Your Employees To Recognize Attacks

Uber was hacked in 2022 because an employee did not recognize that they were a victim of social engineering. Cybersecurity awareness training can arm employees with valuable information so that they know what to do when suspicious activity occurs at work. Engaging learning tools such as training videos and live hack demonstrations can not only get your team up to speed, but can help motivate them to stay vigilant.

Kevin Mitnick Security Awareness Training

Aside from learning the details about cyberattacks like the Uber data breach, security awareness training for your employees can help keep you one step ahead of social engineers. 

Train your team when and where it’s convenient, with the world's largest security awareness training content library. Begin strengthening your organization’s security posture by exploring the Security Awareness Training Library by Mitnick Security.

Topics: Social Engineering

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Redefining Your Enterprise’s Cyber Security Posture During Mergers & Acquisitions

With 3,205 data compromises occurring in 2023 alone, fortifying your enterprise’s cybersecurity posture is more important than ever.

Choosing a Penetration Testing Company for Mac-based Environments

Powering your business with Apple devices because of their reputable security and privacy features? You may be surprised to learn that while Apple dev..

AI in Cyber Security: Impacts, Benefits, and More To Be Aware Of

Artificial intelligence in cybersecurity has been a hot topic lately, especially with the rise of OpenAI’s ChatGPT. But does that mean it would make a..

© Copyright 2004 - 2024 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy

Uber investigating cybersecurity incident after hacker breaches its internal network

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a  report by The New York Times , which broke news of the breach.

Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio , Mailchimp and Okta .

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. — Uber Comms (@Uber_Comms) September 16, 2022

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high-privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.

“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said in a LinkedIn post, noting that it’s not yet clear how the attacker bypassed two-factor authentication ( 2FA ) after obtaining the employee’s password.

The attacker is also believed to have gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise,” said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program.

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and chief hacking officer, said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete the data. Uber made the payment to the hackers but kept the news of the breach quiet for more than a year.

If you know more about the Uber breach, you can contact this author via Signal at +44 1536 853968.

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Lily Hay Newman

The Uber Data Breach Conviction Shows Security Execs What Not to Do

Uber's Former chief security officer, Joe Sullivan, was found guilty this week of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive's company. As alarming as Sullivan's conviction may be to some, gauging the fallout for security executives is anything but straightforward.

Chief security officers are sometimes wryly referred to as “chief scapegoat officers” or “chief sacrificial officers,” because the practical challenges of securing massive organizations are so great. It is all but inevitable that companies will suffer hacks and breaches, and CSOs preside over the aftermath. Many now worry that Sullivan's conviction will make the already daunting role even less appealing to top talent. But the United States Department of Justice is positioning the case as an opportunity to set guardrails around what behavior is—and isn't—acceptable in the fraught balancing act of corporate breach response.

“This definitely will have a chilling effect,” says Anthony Vance, a professor and researcher at Virginia Tech who focuses on how individuals and organizations can improve cybersecurity practices. “Most people aren’t clear about the nuance that is involved here, but more generally, it does show that someone could be held accountable and convicted for a data breach, which has never happened. It’s possible even if this is an extreme case.”

Sullivan’s trouble goes back to November 2016, when Uber suffered a data breach that compromised personal information of more than 57 million users, including drivers and passengers. The rideshare giant didn't disclose the breach until November 2017 , when its current chief executive officer, Dara Khosrowshahi, took over and fired Sullivan along with a company lawyer, Craig Clark. In 2018, Uber paid $148 million to settle with attorneys general across the United States for violating state data breach disclosure laws.

The delayed notification in itself isn't what brought Sullivan into the Justice Department's crosshairs, though. When Sullivan learned about the 2016 hack, he was already working with the FTC on its ongoing investigation into another, unrelated 2014 Uber data breach. Among other things, Sullivan gave a sworn deposition to the FTC about the incident and steps Uber had since taken to improve its digital security practices. 10 days after providing this testimony, he learned of the new data breach. The hackers attempted to extort the company by threatening to publish the data they had stolen if they didn't receive payment. 

Sullivan is now convicted of spearheading the effort to cover up this breach by paying the hackers $100,000 through the company's bug bounty program. As part of the deal, authorities say, he required the hackers to delete the stolen data and sign a nondisclosure agreement about the incident. These actions amounted to a failure to report a felony, according to the DOJ, and resulted in a “misprision of felony” charge. He was also charged in 2020 and convicted this week of obstruction of proceedings of the FTC for failing to amend his testimony to the agency about Uber's security conditions once he learned of the 2016 breach.

Karen Williams

Vittoria Elliott

Lauren Goode

Reece Rogers

“This is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues. “He had just given sworn testimony and was most certainly under a duty to further supplement and provide relevant information to the FTC. That’s how it works.”

Tuma, who frequently works with companies responding to data breaches, says that the more concerning conviction in terms of future precedent is the misprision of felony charge. While the prosecution was seemingly motivated primarily by Sullivan's failure to notify the FTC of the 2016 breach during the agency's investigation, the misprision charge could create a public perception that it is never legal or acceptable to pay ransomware actors or hackers attempting to extort payment to keep stolen data private .

“These situations are highly charged and CSOs are under immense pressure,” Vance says. “What Sullivan did seems to have succeeded at keeping the data from coming out, so in their minds, they succeeded at protecting user data. But would I personally have done that? I hope not.”

Sullivan told The New York Times in a 2018 statement, “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.”

The facts of the case are somewhat specific in the sense that Sullivan didn't simply lead Uber to pay the criminals. His plan also involved presenting the transaction as a bug bounty payout and getting the hackers—who pleaded guilty to perpetrating the breach in October 2019—to sign an NDA. While the FBI has been clear that it doesn't condone paying hackers off, US law enforcement has generally sent a message that what it values most is being notified and brought into the process of breach response. Even the Treasury Department has said that it can be more flexible and lenient about payments to sanctioned entities if victims notify the government and cooperate with law enforcement. In some cases, as with the 2021 Colonial Pipeline ransomware attack , officials working with victims have been able to trace payments and attempt to recoup the money. 

“This is the one that gives me the most concern, because paying a ransomware attacker could be viewed out in the public as criminal wrongdoing, and then over time that could become a sort of default standard,” Tuma says. “On the other hand, the FBI highly encourages people to report these incidents, and I’ve never had an adverse experience with working with them personally. There’s a difference between making that payment to the bad guys to buy their cooperation and saying, ‘We’re going to try to make it look like a bug bounty and have you sign an NDA that’s false.’ If you have a duty to supplement to the FTC, you could give them relevant information, comply with breach notification laws, and take your licks.”

Tuma and Vance both note, though, that the climate in the US for handling data extortion situations and working with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting the reputation and viability of their company—in addition to defending users—the options for how to respond a few years ago were much murkier than they are now. And this may be exactly the point of the Justice Department's effort to prosecute Sullivan.

“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie Hinds said in a statement about the conviction on Wednesday. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. Where such conduct violates the federal law, it will be prosecuted.”

Sullivan has yet to be sentenced—another chapter in the saga that security executives will no doubt be watching extremely closely.

You Might Also Like …

In your inbox: Will Knight's Fast Forward explores advances in AI

Hackers found a way to open 3 million hotel keycard locks

A couple decided to decarbonize their home. Here's what happened

A deepfake nude generator reveals a chilling look at its victims

Are you noise sensitive? Here's how to turn the volume down a little

Andy Greenberg

Makena Kelly

David Nield

Dell Cameron

Uber Breach 2022 – Everything You Need to Know

On Thursday, September 15th, Uber confirmed reports of an organization-wide cybersecurity breach. This is an evolving situation, but we will bring you here the latest information and commentary as we get it.

Mackenzie Jackson

Mackenzie is a developer advocate at GitGuardian, he is passionate about technology and building a community of engaged developers to shape future tools and systems.

More posts by Mackenzie Jackson.

“What makes this breach appear so significant is that this does not appear to be a breach of a single system. The attackers seem to have moved laterally between systems for a complete organization takeover” Mackenzie Jackson – Security Advocate at GitGuardian

Update 9/20/22: Uber confirmed in a security update that the named attacker "Tea Pot" was affiliated with the Lapsus$ hacking group, famous for breaching NVIDIA, Samsung , and Microsoft earlier this year. According to their early investigations, it is likely that the attacker targeted an external contractor whose credentials were bought on the dark web.

What happened

Here’s what we know so far, pending investigation and confirmation from Uber’s security teams.

• The attack started with a social engineering campaign on Uber employees, which yielded access to a VPN, in turn granting access to Uber's internal network *.corp.uber.com.
• Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.
• Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.

The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script . These credentials gave admin access to a Privileged Access Management (PAM) system: Thycotic . This tool carries huge amounts of privilege, making it a single point of failure; it stores both end-user credentials for employee access to internal services and third-party apps as well as DevOps secrets used in the context of software development. This is a worst-case scenario . The PAM system controls access to multiple systems, and having admin access means you can give yourself or extract secrets to all connected systems. This has appeared to give the attacker complete access to all of Uber's internal systems.

This isn't the first time we've seen an Uber data breach: in 2014 hackers gained access to an AWS S3 bucket after developers leaked secrets to a public git repository. Two years later, a similar incident happened when attackers exploited poor password hygiene by some developers to gain access to private repositories which contained multiple access credentials. Now we appear to have the final episode in the trilogy, and it appears to be the most serious situation yet.

“There have been three reported breaches involving Uber in 2014, 2016, and now 2022. It appears that all three incidents critically involve hardcoded credentials (secrets) inside code and scripts” Mackenzie Jackson – Security Advocate at GitGuardian

How bad is it?

Critically, Uber’s Privileged Access Management (PAM) platform was compromised through the exposure of its admin credentials. Privileged access management (PAM) is the combination of tools and technology used to secure, control, and monitor employee access to an organization's critical information and resources. With that in mind, the attacker may have gained access to nearly all the internal systems of Uber. Let’s go through the ones we know of based on preliminary information and evidence to understand the severity of this incident.

“We very often find credentials and secrets for specific systems that have leaked, but finding admin credentials to an access management system is like finding a master key to every room and alarm system, in every building, in every country that an organization owns.” Mackenzie Jackson – Security Advocate at GitGuardian

Thycotic – Severity = Critical

The attacker gained admin access to the Thycotic PAM system. PAM systems can be a single full-featured software console or a collection of multiple tools; in the case of Thycotic, it is a single tool with many features. It can control access to different services and also has a secrets manager where credentials and passwords are stored. It appears the hacker was able to access secrets inside the secure storage, granting the worst possible scenario for Uber.

AWS instance – Severity = Critical

The AWS instance controls the cloud infrastructure of Uber's applications. Depending on configuration, privileges, and architecture, the attacker can potentially shut down services, abuse computing resources, access sensitive user data, delete or ransom data, change user access, and many more things.

VMware vSphere – Severity = Critical

VMware vSphere is a cloud computing virtualization platform. This is a critical platform as it interfaces with both cloud computing and on-premise servers which can give attack access to controlled on-premise servers as well as many administrative functions that would help an attacker move deeper into systems.

SentinelOne – Severity = High

SentinelOne is an XDR (eXtended Detection and Response) platform. Simply put, this platform connects to your mission-critical systems and lets you know if there are security issues. Any attacker that can obtain privileged access to this system can obfuscate their activity and prolong their attacks. XDRs can bake in "backdoors" for Incident Response (IR) teams, such as allowing IR teams to "shell into" employee machines and potentially widening the attacker's access.

Slack workspace – Severity = Medium

The internal messaging system of Slack can be used to great effect as an attacker to launch phishing campaigns. As the attacker has the instant trust of other users, they can send malicious links, try and get admins to elevate their privilege, and access sensitive information. As the attacker has made themselves known, this is likely a smaller threat.

GSuite Admin – Severity = Medium

GSuite is a tool used by many companies to manage their users, store data, and many other administrative tasks. With admin access, the attacker can create and delete accounts, but would also likely have access to employee data and other sensitive company data.

HackerOne – Severity = Medium

HackerOne is the platform used to pay and communicate with security researchers that find vulnerabilities within systems for rewards. Given the level of detail bounty hunters usually provide, anyone with access to the HackerOne tenant has detailed how-tos on how to exploit (likely unpatched) vulnerabilities in other areas of their IT systems. This means persistence is highly likely.

What’s next for Uber?

Although we can't be sure at this point, the immediate disclosure of the breach by the attacker himself both to security researchers on the HackerOne platform and Uber personnel on their Slack workspace tend to indicate that he might not be financially motivated.

From what we have seen, the attacker likely has access to many more systems and services belonging to Uber, but these are the ones we know about. Given the blast radius of this breach, we believe it will be extremely difficult and costly for Uber to sift through all their systems and access logs to ensure the attacker has not achieved persistence.

Before you go

Want to learn more about the problem of hardcoded credentials? Read our State of Secrets Sprawl 2023 report or request a complimentary audit of your secrets exposure .

If you are interested in other 2022 data breaches and attacks, you can find a detailed analysis of the Cloudflare breach and the Toyota data breach .

Related Articles

The open-source backdoor that almost compromised ssh.

The open-source world narrowly escaped a sophisticated supply-chain attack that could have compromised countless systems. A stark reminder of the necessity of vigilant monitoring and rigorous vetting within the open-source ecosystem to maintain trust and security.

Thomas Segura

2 Apr 2024 – 3 min read

Misconfigurations in Google Firebase lead to over 19.8 million leaked secrets

Read our summary of research that found millions of records that exposed user passwords due to misconfigured or missing security settings.

Dwayne McDaniel

20 Mar 2024 – 3 min read

Nation-state hackers access Microsoft source code and steal secrets

Microsoft has been experienced a sustained attack by Russian-backed nation-state attacker Midnight Blizzard (also known as NOBELIUM). This blog examines all we know so far

11 Mar 2024 – 3 min read

The Secret's Out: How Stolen Okta Auth Tokens Led to Cloudflare Breach

Cloudflare experienced a security breach when its internal systems were compromised, leading to unauthorized access to sensitive data. Another incident highlights the importance of maintaining strict secrets security across the supply chain.

2 Feb 2024 – 6 min read

Start your journey to secrets-free source code

And keep your secrets out of sight

GitGuardian is the code security platform for the DevOps generation. With automated secrets detection and remediation, our platform enables Dev, Sec, and Ops to advance together towards the Secure Software Development Lifecycle.

Subscribe to our newsletter to receive the latest content and updates from GitGuardian.

By submitting this form, I agree to GitGuardian's Privacy Policy

• PLATFORM Secrets Detection Honeytoken Infra as Code Security Public Monitoring GITGUARDIAN VS GitHub Advanced Security GitLab Secret Detection truffleHog v3 Gitleaks More alternatives
• DEVELOPERS GitGuardian CLI Documentation API Documentation Good Samaritan Labs GitHub Roadmap API Status
• RESOURCES Blog Learning Center Dev & Sec resources State of Secrets Sprawl Events Free GitHub Secrets Audit PRICING Plans Value Calculator
• COMPANY About Us Wall of fame Careers Contact us FAQ Partners Newsroom

© 2024 GitGuardian. All Rights Reserved.

Rideshare company Uber has suffered a data breach after Teqtivity, a software company which provides asset management and tracking service for Uber, was targeted in a cyber attack.  

The malicious party responsible for the breach posted confidential company information they claimed to have stolen in the breach to hacking forum BreachForums under the pseudonym ‘UberLeaks’.

According to cyber security news site BleepingComputer , the leaked information includes “source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses and other corporate information” as well as the “email addresses and Windows Active Directory information for over 77,000 Uber employees”. No user information was accessed or shared as a result of the breach.

In a statement to BleepingComputer, an Uber spokesperson said that the leaked files are “related to an incident at a third-party vendor” and are “unrelated” to a cyber security incident the company suffered in September 2022. The spokesperson said that based on a review of the information leaked on BreachForums, the code is “not owned by Uber”, but affirmed that the company is “continuing to look into this matter”.

This was corroborated by Teqtivity who said in a statement that the information was “compromised due to unauthorized access to [its] systems by a malicious third party”, who “was able to gain access to [the] Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers” including Uber.

UberLeaks posted four separate batches of data to Breach Forums, which they alleged contained source code information for mobile device management (MDM) platforms linked to Uber. The alleged source code was for the MDM platforms for Uber, Uber Eats  as well as its third-party vendor services, namely IT asset management company Teqtivity and travel, corporate card and expense management platform TripActions.  

Uber has since denied that the hackers gained any access to the company’s internal systems. Likewise, TripActions told BleepingComputer that “no TripActions data was exposed...nor were TripActions’ customers impacted as part of this security incident” as “TripActions does not maintain an MDM”.

In the posts on BreachedForums, UberLeaks alleged that those responsible for the breach belonged to hacking gang Lapsus$, who orchestrated a hack into Uber’s internal systems in September. Uber has denied this allegation.

What is Lapsus$?

Lapsus$ is a malicious hacking group that has been classified as DEV-0537 by Microsoft. The group is known for gaining access to companies by targeting employees with social engineering attacks .  

According to Microsoft, Lapsus$ frequently “announc[e] their attacks on social media or advertis[e] their intent to buy credentials from employees of target organizations”.

Lapsus$ have been linked to a number of high-profile hacking cases, including one in March 2022 where the group hacked both Okta and Microsoft within a week . In both cases, companies’ internal servers were accessed through the compromise of a single employee’s account.

Previous Lapsus$ hack into Uber’s internal systems

On September 15, 2022, a hacker used a compromised Uber EXT account to access the company’s internal systems after an employee’s personal device became infected with malware and their login credentials posted to the dark web.

According to the rideshare company, the hacker then “accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack”, then “posted a message to a company-wide Slack channel...and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”.

The hack was linked to the Lapsus$ hacking group by Uber, as the group “typically uses similar techniques to target technology companies” and suggested that the group were responsible for a hack into video game company Rockstar Games that occurred just days later on September 19.

Former Uber CSO found guilty of covering up data breach

Uber previously came under fire for covering up a data breach that occurred in November 2016 that exposed the data of 57 million employees and users.  The data exposed included the full names, email addresses, telephone and driver’s license numbers for customers and drivers alike. It was accessed after hackers used stolen credentials to obtain an access key from a source code repository. This then allowed the malicious actors to gain access to the personal information.

The company admitted to covering up the breach in July 2022 as part of a non-prosecution agreement with the US Department of Justice and Uber paid US$148,000 to settle a civil litigation.

Additionally, former cyber security officer (CSO) of Uber, Joe Sullivan was convicted on October 5, 2022 , of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with attempting to cover up the hack.

Sullivan was charged after failing to alert the FTC of the data breach while Uber was under investigation by the commission in relation to a breach in November 2014. The breach saw the details of 50,000 customers leaked online.

Sullivan was alerted to the existence of the data breach on November 14, 2016, after being directly contacted by the hackers responsible. Following contact with the hackers, Sullivan attempted to pay them $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”, and eventually paid them the sum in Bitcoin in December 2016, despite not knowing their true identities.

In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy.

Evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.

In 2017, Uber began investigating the 2016 breach and revealed it both to the FTC and the general public. During the investigation, Sullivan falsely told the new CEO of Uber, Dara Khosrowshahi, that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that involved the exposure of a large amount of personal information of many Uber customers.  

At the trial in 2022, the jury found Sullivan guilty of obstruction of justice and misprision of felony. He faces a maximum of five years in prison for obstruction and a maximum of three years for misprision. He remains free on bond and will be sentenced at a later date, yet to be set. 

More From Incident of the Week

Iotw: victoria court recordings exposed in suspected ransomware attack.

Unauthorized access disrupted audio visual in-court technology network impacting video recordings, a...

IOTW: Xfinity data breach impacts 35 million customers

Exposed data includes usernames, hashed passwords and social security numbers

IOTW: Russia-linked cyber attack targets Ukraine’s biggest phone operator

Powerful attack knocked out internet access and mobile communications, damaging IT infrastructure

IOTW: HTC confirms cyber attack as BlackCat ransomware gang teases stolen data

BlackCat/ALPHV ransomware group leaked photos of what appears to be stolen passports, contact lists,...

IOTW: Okta data breach affects all customer support users

Hackers stole information on all users of Okta’s customer support system

RECOMMENDED

FIND CONTENT BY TYPE

• Case Studies
• White Papers

Cyber Security Hub COMMUNITY

• Advertise with us
• Cookie Policy
• User Agreement
• Become a Contributor
• All Access from CS Hub
• Become a Member Today
• Media Partners

ADVERTISE WITH US

Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

Careers With IQPC | Contact Us | About Us | Cookie Policy

Become a Member today!

PLEASE ENTER YOUR EMAIL TO JOIN FOR FREE

Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.

We respect your privacy, by clicking 'Subscribe' you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here . You can unsubscribe at any time.

Uber Makes Headlines After New Social Engineering Attack

On September 15, 2022, it was reported that American mobility as a service provider Uber was hit with another massive data breach that was impacting the company’s entire network. Likewise, this breach is alleged to have been more damaging than the last major breach that the company experienced in 2016, an incident that resulted in the personal information of more than 57 million users being disclosed to the general public. To this point, Uber initially tried to cover up the occurrence of the data breach that took place in 2016 by offering to pay the hackers who had launched the attack $100,000 in bitcoin. Nevertheless, the truth of this coverup was ultimately revealed by a Federal Trade Commission (FTC) investigation that was conducted nearly a year later.

Given this background information, Uber will undoubtedly be facing a huge amount of criticism and public scrutiny as it pertains to the manner in which they choose to handle the most recent data breach that unfolded this week. To this end, the hacker that performed the attack “is believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP).” Subsequently, in a New York Times article that broke the news earlier this week, this hacker in question sent a text message to an Uber employee under the guise of being a “corporate information technology personnel.” In turn, this social engineering attack enabled the hacker to infiltrate Uber’s purportedly weak security network, as even the company’s internal messaging system Slack was taken offline.

The risks of social engineering attacks

In contrast to other forms of cybercrime, where a hacker may attempt to access an online network or database through brute force tactics or other similar methods, social engineering attacks instead look to instill a certain level of trust in an employee that works for the company, usually under the premise of being a fellow legitimate employee, before taking advantage of this trust to launch a cyberattack. Once a cybercriminal is able to obtain the credentials of an employee that works for a company such as Uber, they will then have the resources and information necessary to take down the online systems of a business with relative ease, as has been showcased with Uber’s most recent data breach.

As stated by Acronis’ CISO Kevin Reed in a message posted to the social media website Linkedin, “Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, Uber slack management interface…This looks bad. What’s worse is if you had your data in Uber, there’s a high chance so many people have access to it.” However, in spite of the numerous details concerning the cyberattack that have been confirmed, it is still unknown how the hacker in question was able to get past the two-factor authentication process once they had access to the login credentials of an Uber employee.

Uber’s most recent data breach settlement

If the data breach that Uber sustained in 2016 is any indication, the breach that occurred this week may very well result in a multi-million dollar settlement for any aggrieved parties, depending on the legal actions that are undertaken in response to Uber’s alleged lapse in security. This being said, Uber agreed to pay $148 million dollars in a nationwide settlement that the company reached with Washington D.C. Attorney General Karl A. Racine in September 2018. Furthermore, Uber was also required to “strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future”, as well as pay $2.62 million directly to Washington D.C.

In addition to the huge monetary settlements that Uber was ordered to pay in 2018, former security officer Joe Sullivan was also indicted on criminal charges in response to his alleged attempts to cover up the data breach by offering to pay the hackers who launched the attack $100,000 in bitcoin, in accordance with a Non Disclosure Agreement (NDA) that he also reportedly had the cybercriminals sign before he relinquished payment. In a case that is believed to be the first instance of a major executive of a company being criminally liable for their role in a data breach. Sullivan was “ charged with 3 counts of three counts of wire fraud, in violation of 18 U.S.C. § 1343; obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4.”

While data breaches have become extremely common in our modern society due to the inherent role that the internet plays in daily life, this fact does not negate the huge risks that such occurrences pose to everyday working people. For this reason, irrespective of the legitimacy behind Uber’s most recent alleged cyberattack, it is imperative that the company handles this event with more diligence and care than has been displayed when similar events unfolded in the past, as even if the company is able to dodge another costly monetary settlement, they will still be faced with the reputation harm that has come to be associated with businesses that experience repeated data breaches over a relatively short period of time.

• News & Updates

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Join The CaseGuard Team at IAI’s International Forensic Educational Conference

Meet our team at the Annual IAI International Forensic Educational Conference in Maryland this August from August 21st to 23rd.

Embarrassing Redaction Failures & How To Prevent Them

From exposing trade secrets to endangering operations by the National Security Agency, redacting documents incorrectly can lead to a lot of headaches.

Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Data Breaches: What’s The Big Deal & How To Prevent Them

Not all data breaches are cyber attacks, and not all cyber attacks are data breaches; however, the terms are sometimes used interchangeably. A data breach involves unauthorized access to, and potential distribution of, sensitive data to an untrusted third party.

• Help Center
• Data Breaches

Uber Data Breach Affects 57 Million Rider and Driver Accounts

Steve Symanovich

Staff writer

Uber Technologies, Inc. disclosed that hackers stole the personal information of some 57 million customers and drivers from the ride-sharing company, according to a report by Bloomberg News. The news outlet also reported that, for more than a year, Uber concealed news of the data breach, which was discovered in late 2016.

In a statement on its website and attributed to CEO Dara Khosrowshahi, the company said the information included:

• The names and driver’s license numbers of around 600,000 drivers in the United States.
• Some personal information of 57 million Uber riders and drivers around the world. This information included names, email addresses and mobile phone numbers.

Uber rider or driver? Here’s what you need to know:

For Uber riders, the company says it doesn’t believe individuals need to take action. “We have seen no evidence of fraud or misuse tied to the incident,” its statement to riders said . “We are monitoring the affected accounts and have flagged them for additional fraud protection.”

That said, it is possible for identity thieves to launch phishing attacks, appearing to come from Uber, hoping to trick customers into providing personal information, such as account credentials or payment card information. It’s always important to check the actual email address to ensure a message is from the company or person it appears to be from. Also, don’t click on an emailed link or attachment without verifying the email’s authenticity.Uber says it’s notifying its drivers whose driver’s license numbers were accessed and are providing them with free credit monitoring and identity theft protection services. It’s providing additional information for Uber drivers on its website.

How the Uber breach happened

Uber said two people who didn’t work for the company accessed the data on a third-party cloud-based service that Uber uses. The company also said that outside forensics experts have not seen evidence that the hackers accessed other types of information. Un-accessed information includes:

• Trip location histories
• Credit card numbers
• Bank account numbers
• Social Security numbers
• Dates of birth

Bloomberg News reports that company executives originally paid the hackers $100,000 to delete the data and keep news of the data breach quiet. In its statement, Uber said that two individuals who led the original response to the incident are no longer with the company, effective Nov. 21, 2017, the date the company went public with news of the breach.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Start your protection, enroll in minutes.

Sign up for promotional emails.

Copyright © 2024 Gen Digital Inc. All rights reserved. All trademarks, service marks, and tradenames (collectively, the "Marks") are trademarks or registered trademarks of Gen Digital Inc. or its affiliates ("Gen") or other respective owners that have granted Gen the right to use such Marks. For a list of Gen Marks please see GenDigital.com/trademarks.

• Dynamic Application Security Testing
• API Security Testing
• Penetration Testing - PT
• Banking, Financial Services, and Insurance
• Internet Companies
• Governments & Ministries
• The Fortune Global - 500 & 2000
• Cybersecurity Jargons
• Infographics
• Whitepapers
• Case Studies

Uber Data Breach 2022: What You Need to Know

The world of digital security has been under the spotlight for various reasons in the last year. Several high-profile incidents have directly impacted the general public, from cyber attacks to privacy scandals. 

Uber is the latest company to be caught up in this whirlwind after hackers managed to breach their security and steal sensitive user data from the ride-hailing service. 

This article provides an overview of what happened, what went wrong, and what you can do to keep your accounts safe.

What Caused Uber Data Breach in Security?

On September 15, Uber announced the news of its system breach. Through social engineering, the hacker compromised an employee’s Slack account. 

During the uber cyber attack , the hacker persuaded the employee to hand over a critical password that allowed them access to Uber’s systems.

The screenshots the hacker shared with security researchers suggest that this person gained complete access to the cloud-based systems where Uber stores sensitive customer and financial information. 

One of the company employees (who wished to stay anonymous) resource page is said to have had an unsafe work image posted by the hacker.

Some noteworthy points include the following: 

• First, they failed to monitor login attempts properly. Uber doesn’t receive notifications if third-party tries to log into a business account but fails to enter the network. These failed entry attempts don’t trigger Uber’s security system networks, which shows an apparent lag in the system.
• Second, Uber failed to restrict the available data to third-party apps. Such easy availability allows hackers to access sensitive information from other linked third-party apps. 
• Thirdly, there is a possibility this attack was a result of phishing. In phishing, hackers pose as a trustworthy person or entity to gain access to sensitive information. This breach is notable as there have been multiple breaches in Uber’s history. Such multiple violations are unusual, as most breaches only happen once or twice.

How Was Uber’s Security Breached?

An attempt was made by the hacker to socially engineer Uber workers, which resulted in access to a VPN and the company’s internal network. 

Allegedly, an 18-year-old hacker is responsible for stealing data from Uber . However, last week, Uber shared more details about the attack, which notably pinned the threat actor’s affiliation to the notorious LAPSUS$ hacking group.

Uber’s system vulnerability came to the fore when its native Privileged Access Management (PAM) platform admin credentials were compromised. 

Privileged Access Management is a collection of tools and technologies that protects, restricts, and monitors employee access to a company’s vital data and resources. 

Once a hacker enters the network, they get access to PowerShell scripts, which include the domain admin’s account login information in a hard-coded form. 

During the recent breach, the hijacker gained full administrative access to the company’s AWS, vSphere domain, Duo, G Suite, OneLogin, VMware, and other accounts. They even obtained Uber’s source code; screenshots were provided as evidence. 

Since there were no ransom or extortion notes, researchers believe that the hacker performed the engineering attack only for cheap thrills. 

Predefined parameters in a PowerShell script are a significant weakness that gives the attacker such extensive access. These login credentials granted administrator access to Thycotic, a PAM system. 

This tool carries a lot of privileges for the company’s users. It holds both end-user keys for personnel access to internal resources and third-party programs. 

Additionally, it includes DevOps insights used commonly during software development, making it a single failure point. 

The PAM system manages access to several systems. As a result, the attacker had full access to all of Uber’s core systems.

Who Was Affected by Uber Cybersecurity Attack?

Although the hackers only gained access to some information from Uber’s users, they still managed to breach their security. The breach means the hackers found a way to infiltrate their system and enter other accounts. 

It’s possible the hackers also gained access to sensitive information from other apps tracking users. Therefore, hackers likely gained access to information such as addresses, email addresses, and license numbers ( although no evidence proves it yet ). 

Such information might include unwarranted access to users’ bank accounts while receiving Social Security benefits in someone else’s name and even driving cars without being detected. 

Some people have questioned Uber’s response to the data breach in light of how they had previously failed to disclose the 2016 breach that cost them $148 million in legal penalties.

Additionally, it’s also been reported that the company didn’t immediately notify everyone affected by the breach, which is unusual. Some people may have been left unaware that their information has been breached.

Unlike Uber's Cyber attack and data breach , if you wish to not happen to your company then, keep yourself updated in the world of cybersecurity with Appknox's cyber security jargon and take some knowledge. 

Uber data breach

Keep the momentum going!

Continue reading by signing up with your email.

DISCOVER MORE

April 8, 2024

How Appknox stood out at Gartner® Security & Risk Management Summit 2024

March 28, 2024

Choosing the Best Mobile Application Security Testing Tool in 2024

March 21, 2024

A Complete Guide to NIST Compliance 2024

Gartner and g2 recommends appknox | see how we can help you with a free demo, similar blogs.

Hackers Demanding Money - Uber Is Not The Only One Paying Them

The big news in the security space in the last couple of days is Uber revealing that they got hacked last year. ...

Biggest Data Breaches and Cyber Attacks of Q2 2018

We had reported earlier how the first quarter of 2018 was quite significant in terms of data breaches and cyber ...

Top 10 Data Breaches of 2022 (So Far...)

As we are in the midst of the October Cybersecurity Awareness Month of 2022, all of us need to be more cautious than ...

Using Other Product?

2 Weeks Free Trial!

Appknox is the worlds most powerful plug and play security platform which helps Developers, Security Researchers and Enterprises to build a safe and secure mobile ecosystem using a system plus human approach to outsmart smartest hackers.

Subscribe to our newsletter

• Start Free Trial
• Book a Demo
• Switch to Appknox
• Partner with Appknox
• Privacy Policy
• Static application security
• Dynamic application security
• Case studies

Copyright © 2024 Appknox, Xysec Labs

Settlement reached in class action lawsuit against Hope College for 2022 data breach

HOLLAND — A class action lawsuit against Hope College for a 2022 data breach is being settled for $1.5 million. 

The lawsuit, which was filed in December 2022 , stems from a data breach that occurred on or around Sept. 2 7, 2022 . An investigation found that information like first and last names, birth dates, Social Security numbers, driver’s license numbers and student ID numbers had been compromised. 

Class Representatives for the case are Jennie Devries, Tricia Garnett, Mark Cyphers, Timothy Drost, Joseph Rogers, Emily Damaska and Elisa Carter. The settlement was reached earlier this year, with notice mailings being sent to class members in February. 

Hope College emailed a statement about the situation to The Sentinel on Monday.

“Per the terms of the settlement, all details are being communicated by the plaintiffs and their legal counsel. No student tuition or room/board dollars were used to fund the settlement, nor were any operating funds of the college. Hope College is unable to provide additional information,” the statement reads. 

More: Personal info possibly leaked in Hope College data breach

More: Multimillion-dollar lawsuit filed against Hope College over data breach

As part of the settlement, class members have three options for benefits — one year of credit monitoring and insurance services; cash payments of up to $5,000 per member for reimbursement of documented losses; or cash fund payments at an amount to be determined. Class members can choose one of the three options.

Settlement benefits will be issued after payout of attorney fees, administrative expenses and service awards for the class representatives. 

The credit monitoring and insurance services include up to $1 million of identity theft insurance coverage and three-bureau credit monitoring meant to protect people from unauthorized use of their personal information. These services are “separate from and in addition to” credit monitoring services already offered by Hope College. 

Class members can file a claim form for reimbursement of documented losses, which include funds spent remedying or addressing identity theft and fraud that was “more likely than not” related to the breach or funds spent to protect from future harm due to the breach. Claims for documented loss must have supporting documentation such as credit card or bank statements, phone records and receipts. 

Finally, class members can opt to apply for a cash fund payment of a to-be-determined amount. These payments will be dispersed equally among those that opt for them after funds are allocated to credit monitoring and documented loss payments, if funds remain. 

Class members must submit a valid claim form by May 7 to receive settlement benefits. To submit claims, visit hopecollegesettlement.com . Anyone with questions about the settlement or if they qualify as a class member should contact [email protected] . 

Subscribe: Receive unlimited access to your local news coverage

Hope has also agreed to take several remedial and enhanced security measures through the settlement. 

Those measures include increasing internal and third-party IT staff; establishment of a data governance committee, aiming to retain sensitive data only when “legally required or operationally necessary;” enforcing mandatory multi-factor authentication; hiring an independent security contractor to evaluate network security and vulnerability; and increasing mandatory training for employees related to data security. 

A final approval hearing for the settlement is scheduled for 9 a.m. Monday, May 20. It will be held before judge Paul Maloney in the U.S. District Court for the Western District of Michigan in Kalamazoo.

— Contact reporter Mitchell Boatman at [email protected] .

Uber sex assault group sues to block Nevada bid to cap all contingency fees at 20%

• Medium Text

• Company Uber Technologies Inc Follow

Jumpstart your morning with the latest legal news delivered straight to your inbox from The Daily Docket newsletter. Sign up here.

Reporting By Alison Frankel

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

Thomson Reuters

Alison Frankel has covered high-stakes commercial litigation as a columnist for Reuters since 2011. A Dartmouth college graduate, she has worked as a journalist in New York covering the legal industry and the law for more than three decades. Before joining Reuters, she was a writer and editor at The American Lawyer. Frankel is the author of Double Eagle: The Epic Story of the World’s Most Valuable Coin.

Read Next / Editor's Picks

Industry Insight Chevron

Mike Scarcella, David Thomas

Karen Sloan

Henry Engler

Diana Novak Jones