Hacker Pwns Uber By way of Compromised Slack Account | Tech Aza

Trip-sharing big Uber took a few of its operations offline Thursday evening after discovering that its inner programs had been compromised. The attacker was in a position to social engineer entry to an worker’s Slack account earlier than delving into the community, the corporate mentioned.

Whereas the complete extent of the breach has but to return to gentle, the particular person claiming accountability for the assault (allegedly an adolescent) claimed to have a considerable amount of emails, knowledge stolen from Google Cloud storage, and the proprietary supply code of Uber, “proof” that he despatched to some cybersecurity researchers and media retailers, together with The New York Instances.

“They’ve just about full entry to Uber,” Sam Curry, a safety engineer at Yuga Labs, informed the Instances. “This can be a whole dedication, by the appears of it.”

domino compromise

Collaboration platform Slack was the primary system to go offline, however different inner programs rapidly adopted, in response to studies. Simply earlier than the deactivation, the attacker despatched a Slack message to Uber workers (a few of whom shared it on twitter): “I announce that I’m a hacker and Uber has suffered a knowledge breach.”

The perpetrator additionally informed investigators and the media that the breach started with a textual content message to an Uber worker, pretending to be from company IT. The “tech assist” message merely requested for a password, which the employee supplied.

“Whereas no official clarification has but been supplied, [apparently] the intruder was ready to hook up with the company VPN to achieve entry to Uber’s broader community, after which seems to have discovered gold within the type of administrator credentials saved in plain textual content on a shared community,” Ian McShane, vice chairman of technique. at Arctic Wolf, it mentioned in an announcement. “This can be a pretty low-entry assault and is considerably much like consumer-focused attackers calling folks claiming to be Microsoft and having the top person set up keyloggers or setup instruments. distant entry”. “

In a press launch to the Instances, an Uber spokesperson confirmed that social engineering was the purpose of entry, saying merely that the corporate was working with authorities to research the breach. Publicly, by way of Twitter, the published company“We’re at the moment responding to a cybersecurity incident. We’re in touch with regulation enforcement and can put up further updates right here as they grow to be obtainable.”

The hacker reportedly mentioned he’s 18 years previous and attacked the corporate to exhibit its weak safety; He too could have a hacktivist component, as a result of he additionally acknowledged within the Slack message to workers that Uber drivers needs to be paid extra.

“Given the entry they declare to have gained, I am shocked the attacker did not try ransom or extortion, it seems he did so ‘for the lulz,'” McShane added.

It’s not the primary journey with an Uber knowledge breach

Uber was the topic of one other huge breach, again in 2016. In that incident, cyber attackers took the private info of 57 million clients and drivers, demanding $100,000 in trade for not weaponizing the info (the corporate paid). A subsequent prison investigation led to a non-prosecution settlement with the US Division of Justice this summer time, which included Uber admitting that it actively lined up the complete extent of the breach, not even disclosing it for greater than a yr.

Additionally associated to that earlier blow, in 2018 Uber settled a nationwide civil lawsuit by paying $148 million to all 50 states and the District of Columbia; and, satirically, given the brand new developments, agreed to “implement a company integrity program, particular knowledge safety safeguards, and incident response and knowledge breach notification plans, together with biennial assessments.”