It appears Uber has been hacked by an 18-year-old. As discovered Thursday, the hijacker managed to gain full admin access to the company’s AWS, Duo, OneLogin, G Suite, VMware vSphere domain accounts, and more. They even bagged Uber’s source code and have sent out screenshots to prove it.
Not a great time for Uber then. But what really gets me is how people are meant to have reacted when asked to stop interacting with the hacker on Slack—if you work in IT you might need to ask a friend to hold you back for this one.
According to The New York Times (opens in new tab), the person responsible for the Uber hack claims to have gained access simply by sending a text to an Uber employee pretending to be from the company’s corporate IT team. The hacker, if we can even call them that, just persuaded the employee to send them their login credentials and, boom, full access granted.
Yuga Labs engineer Sam Curry posted on Twitter about the event, having spoken to the apparent hacker, who claims to be just 18 years old. They sent some pretty legitimate-looking screenshots of internal systems to prove their quarry.
Curry spoke to some Uber employees as to their experience: “At Uber, we got an ‘URGENT’ email from IT security saying to stop using Slack,” one employee said. “Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message ‘F*** you wankers’.”
Another employee said that, “Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes.”
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoESeptember 16, 2022
The Slack channel was finally taken offline after one message read “I announce I am a hacker and Uber has suffered a data breach.” It also went on to list a bunch of systems they were claiming to have access to. What’s really wild is that since there doesn’t seem to be any rhyme or reason behind the attack “it seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” Curry jokes.
Ars Technica (opens in new tab) reports that this isn’t the first time Uber has been involved in a data breach. Back in 2016 Uber allegedly failed to report a massive data breach in which 57 million customer and driver names, email and phone numbers were stolen. The company allegedly failed to report the incident to the Federal Trade Commission, instead opting to pay the hackers a $100,000 bug bounty so they would delete the data and sign an NDA, and out of embarrassment passing it all off as part of a security test.
That time, it resulted in one of Uber’s top security execs, Joe Sullivan, being fired, though his lawyers say he was made a scapegoat for the downfalls of other employees (opens in new tab).
The recent attack is currently under investigation with Uber’s official Twitter account (opens in new tab) stating Thursday, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
How people haven’t figured out that giving your password out is a terrible idea by now, I’ll never know. They call it social engineering, but attacks like this are so excruciatingly low effort, a title like that is frankly an insult to engineers.
Bottom line? Please don’t give your passwords out, even if someone claims to be from IT. That team should already have access to your account in case you forget your password.