Serious Breach at Uber Highlights Hacker’s Social Deception

By FRANK BAJAK, AP Technology Writer

Ride-sharing service Uber said on Friday that all of its services were up and running following what security professionals call a major data breach, saying there was no evidence the hacker gained access to the data user sensitivities.

But the breach, apparently by a lone hacker, shed light on an increasingly effective break-in routine involving social engineering: the hacker apparently gained access by impersonating a colleague, prompting a Uber employee to surrender their credentials.

They were then able to locate passwords on the network giving them the privileged level of access reserved for system administrators.

The potential damage was severe: screenshots the hacker shared with security researchers indicate that they gained full access to cloud-based systems where Uber stores sensitive customer and financial data.

political cartoons

It’s unclear how much data the hacker stole or how long he stayed in Uber’s network. Two researchers who contacted the person directly – who identified himself as an 18-year-old to one – said they seemed interested in the ad. There was no indication that they had destroyed any data.

But files shared with researchers and widely circulated on Twitter and other social media indicated the hacker was able to access Uber’s most crucial internal systems.

“It was really bad the access he had. It’s awful,” said Corben Leo, one of the researchers who spoke with the hacker online.

The online reaction from the cybersecurity community – Uber also suffered a serious breach in 2016 – has been harsh.

The hack “was neither sophisticated nor complicated and was clearly based on several major systemic failures in security culture and engineering,” tweeted Lesley Carhart, director of incident response at Dragos Inc., which specializes in industrial control systems.

Leo said screenshots shared by the hacker showed the intruder had access to systems stored on Amazon and Google’s cloud servers where Uber keeps source code, financial data and customer data such as driving licenses.

“If he had the keys to the kingdom, he could start shutting down the services. He might delete stuff. He could download customer data, change people’s passwords,” said Leo, a researcher and business development manager at security firm Zellic.

The screenshots the hacker shared – many of which found their way online – showed sensitive financial data and internal databases being accessed. Also widely reported online: the hacker announcing the breach Thursday on Uber’s internal Slack collaboration system.

Leo, as well as Sam Curry, a Yuga Labs engineer who also contacted the hacker, said there was no indication the hacker caused any damage or was interested in anything other than publicity.

“It’s pretty clear that he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo said.

Curry said he spoke to several Uber employees on Thursday who said they were “working to lock everything down internally” to restrict the hacker’s access. This included the San Francisco company’s Slack network, he said.

In a statement posted online Friday, Uber said “internal software tools that we removed as a precaution yesterday are coming back online.”

He said all of his services — including Uber Eats and Uber Freight — were up and running and he had notified law enforcement. The FBI said by email that it was “aware of the computer incident involving Uber, and our assistance to the company continues.”

Uber said there was no evidence the intruder accessed “sensitive user data” such as ride history, but did not respond to questions from The Associated Press, including on the whether the data was stored encrypted.

Curry and Leo said the hacker did not indicate how much data was copied. Uber did not recommend any specific actions for its users, such as changing passwords.

The hacker alerted researchers to the intrusion on Thursday using an internal Uber account on the company’s network used to post vulnerabilities identified through its bug bounty program, which pays ethical hackers to root out network weaknesses.

After commenting on these posts, the hacker provided a Telegram account address. Curry and other researchers then engaged them in a separate conversation, where the intruder provided the screenshots as evidence.

The AP attempted to contact the Telegram account hacker, but received no response.

Screenshots posted online appear to confirm what the researchers said the hacker claimed: that they gained privileged access to Uber’s most critical systems through social engineering.

The hacker first got the password from an Uber employee, probably through phishing. The hacker then bombarded the employee with push notifications asking him to confirm a remote login to his account. When the employee did not respond, the hacker contacted him via WhatsApp, posing as a colleague from the IT department and expressing his urgency. In the end, the employee relented and confirmed with a click of the mouse.

Social engineering is a popular hacking strategy because humans tend to be the weakest link in any network. Teenagers used it in 2020 to hack Twitter and it’s been used more recently in hacks by tech companies Twilio and Cloudflare, said Rachel Tobac, CEO of SocialProof Security, which specializes in training workers not to be victims of social engineering.

“The hard truth is that most organizations in the world could be hacked the same way Uber was just hacked,” Tobac tweeted. In an interview, she said that “even super tech-savvy people fall for social engineering methods every day.”

“Hackers are getting better at bypassing or hijacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, principal threat analyst at SecurityScorecard.

This is why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. However, adoption of this hardware has been uneven among technology companies.

The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security. “Much more attention needs to be paid to protecting the clouds from within” because a single master key can usually unlock all of their doors.

Some experts have wondered how much cybersecurity has improved at Uber since it was hacked in 2016.

His former head of security, Joseph Sullivan, is now on trial for allegedly paying hackers $100,000 to cover up this high-tech heist, when the personal information of around 57 million customers and drivers was stolen.

This story has been updated to correct the spelling of the Contrast Security expert’s last name. It’s Kellermann, not Kellerman

This story was first published on September 16, 2022. It was updated on September 17, 2022 to correct the spelling of a researcher’s first name. The name is Corben Leo, not Corbin.

Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Robert M. Larson