Uber said a hacker affiliated with the Lapsus$ hacking group was responsible for a breach of its internal systems last week, while reiterating that no customer or user data was compromised during the attack.
Uber blames Lapsus$ hacker group for security breach
The hack, discovered last Thursday, forced the company to take several of its internal systems offline, including Slack, Amazon Web Services and Google Cloud Platform.
It happened a few days before video game maker Rockstar Games was also breached by a hacker who claims to be the same person who attacked Uber. Dozens of videos of the company have not been released Grand Theft Auto VI was leaked online. In its security update, Uber refers to the Rockstar Games hack, but does not confirm that it was the same attacker.
The company says it is in close contact with the FBI and the US Department of Justice as the investigation continues.
Uber confirmed that the hacker downloaded some internal Slack messages as well as information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing these downloads,” the company said in a statement.
Lapsus$ is a hacker group known for conducting a ransomware attack against the Brazilian Ministry of Health in December 2021, compromising the covid-19 vaccination data of millions in the country. It also targets a number of high-profile companies, stealing data from Nvidia, Samsung, Microsoft and Vodafone. London police arrested several members of the group earlier this year, all of whom were teenagers.
In its update on the breach, Uber confirmed new details about the hack. The company said the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s personal device was infected with malware, exposing those credentials.
“The attacker then repeatedly attempted to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login authorization request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker logged in.”
(Previously, the alleged hacker claimed to have received a password allowing access to Uber’s systems from a company employee, whom he tricked by impersonating a company IT official — a technique known as social engineering.)
The hacker then gained access to several other Uber employee accounts, gradually gaining more permissions to a number of internal company tools, including G Suite and Slack. The attacker then post a message to a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphic image to employees on certain internal websites,” the company said.
The hacker eventually announced himself to Uber employees by posting a message on the company’s internal Slack system. “I announce that I am a hacker and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The alleged hacker then listed confidential company information they said they had accessed and posted a hashtag saying Uber underpays its drivers.
Uber said it responded by forcing employees and contractors whose accounts were compromised to change their passwords and restricting them from certain internal systems until they had done so. It also rotated keys – effectively resetting access – to many of Uber’s internal services. And it locked down its own codebase, preventing new code changes – even though it claims to have detected no changes yet.
Uber also claims that sensitive customer data, including personally identifiable information and financial data, is secure.
First of all, we have not seen the attacker gain access to production (ie public facing) systems that run our apps; any user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information or travel history. We also encrypt credit card information and personal health data, offering an additional layer of protection.
Uber says the hacker gained access to the company’s dashboard on HackerOne, where security researchers report bugs and vulnerabilities. “However, all bug reports the attacker accessed have been patched,” the company says.
In addition to law enforcement, Uber says it is also working with “several leading digital investigative firms” as part of the ongoing investigation.
“We will also take this opportunity to continue to strengthen our policies, practices and technology to further protect Uber from future attacks,” the company said.