Uber says it was likely hacked by Teenage Hacker Gang LAPSUS$

Uber has published additional information about how it was hackedand claimed it was targeted by LAPSUS$, a cybercriminal gang with a solid track record believed to consist mainly of teenagers.

Last week, someone broke into Uber’s network and used the access to cause all kinds of mayhem. The culprit, who claims to be 18 years old, managed to spam the company’s employees with vulgar Slack messages, post a picture of a penis on the company’s internal websites and leak pictures of Uber’s internal environment to the web. Now the ride-share giant has released a statement give details of the ordeal.

In its update, the company has clarified how it was hacked, which largely confirms a created account by the hacker himself. Uber says the hacker exploited the credentials of a company contractor to initially gain access to the network. The hacker may have originally purchased access to these credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts led to a series of multi-factor authentication requests for the contractor, who eventually authenticated one of them. The hacker has previously claimed that it carried out a social engineering scheme to convince the contractor to authenticate the login attempt.

Security experts have called this a “MFA fatigue“attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.

Most interestingly, Uber has also claimed that the person behind this hacking episode is associated with the cybercrime gang “LAPSUS$”. It’s not entirely clear how Uber knows that. The company’s statement reads:

We believe that this attacker (or attackers) is affiliated with a hacker group called Lapsus$, which has been increasingly active over the past year or so…There are also reports over the weekend that this same actor has breached video game maker Rockstar Games .

As you may have heard, Rockstar Games was actually hacked this week, in a rather disastrous episode that saw footage of the unreleased title Grand Theft Auto VI leaked online in a rather unfinished state. The hacker behind the breach claims they are the same person behind the Uber hack. Gizmodo reached out to Rockstar Games to ask if they could attribute their own data breach to the LAPSUS$ gang. We’ll update this story if we hear back.

LAPSUS$ rose to prominence earlier this year when the gang claimed to have hacked a number of prominent technology companies, including Microsoft, Cisco, SamsungOkta, Nvidiaand Ubisoft, among others. The alleged leader of the gang, a 16-year-old who went by the pseudonym “White”, was arrested in March, but due to his age his identity has not been released. The gang has continued to be activebut as this latest episode seems to demonstrate.

In its update, Uber also reiterated that it had seen no evidence to suggest that user data was compromised during the incident:

…we have not seen that the attacker gained access to the production (ie public facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information or travel history. We also encrypt credit card information and personal health data, offering an additional layer of protection.

Let’s hope they’re right about that.