It appears that Uber has been hacked by an 18-year-old. As discovered Thursday, the hijacker was able to gain full administrator access to the company’s AWS, Duo, OneLogin, G Suite, VMware vSphere domain accounts and more. They even obtained Uber’s source code and have sent out screenshots to prove it.
It’s not a good time for Uber then. But what really gets me is how people are supposed to have reacted when told to stop interacting with the hacker on Slack – if you work in IT you might have to ask a friend to hold you back for this one.
According to The New York Times (opens in a new tab), the person responsible for the Uber hack claims to have gained access simply by sending a text message to an Uber employee pretending to be from the company’s IT team. The hacker, if we can even call them that, just persuaded the employee to send them the credentials and, boom, full access granted.
Yuga Labs engineer Sam Curry posted on Twitter about the incident, after speaking with the apparent hacker, who claims to be just 18 years old. They sent some pretty legit screenshots of internal systems to prove their quarry.
Curry spoke to some Uber employees about their experience: “At Uber, we got an ‘URGENT’ email from IT security saying we should stop using Slack,” said one employee. “Now every time I request a website I am taken to a REDACTED page with a pornographic image and the message ‘F*** you crazy’.
Another employee said that “Instead of doing anything, a good number of staff were interacting and taunting the hacker, thinking that someone was playing a prank. After being told to stop slacking off, people continued for the jokes. “
Someone hacked an Uber employee’s HackerOne account and comments on all the tickets. They probably have access to all the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE16 September 2022
The Slack channel was finally taken offline after a message read “I announce that I am a hacker and that Uber has suffered a data breach.” It also went on to list a bunch of systems they claimed to have access to. What’s really wild is that since there doesn’t seem to be any rhyme or reason behind the attack, “it seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it and has time of his life,” jokes Curry.
Ars Technica (opens in a new tab) reports that this is not the first time Uber has been involved in a data breach. Back in 2016, Uber failed to report a massive data breach in which 57 million customer and driver names, emails and phone numbers were stolen. The company reportedly failed to report the incident to the Federal Trade Commission, choosing instead to pay the hackers a $100,000 bug bounty so they would delete the data and sign an NDA, embarrassingly sending it all out as part of a security test.
At the time, it resulted in the firing of one of Uber’s top security executives, Joe Sullivan, although his lawyers say he was made a scapegoat for other employees’ downfalls. (opens in a new tab).
The recent attack is currently under investigation with Uber’s official Twitter account (opens in a new tab) said Thursday, “We are currently responding to a cybersecurity incident. We are in contact with law enforcement and will post additional updates here as they become available.”
How people haven’t figured out that giving out your password is a terrible idea by now, I’ll never know. They call it social engineering, but attacks like this are so excruciatingly low-stakes, a title that’s frankly an insult to engineers.
The bottom line? Please do not give out your passwords, even if someone claims to be from IT. That team should already have access to your account in case you forget your password.