Earlier, Hackread.com reported that the ride-hailing service’s corporate network was breached, after which several engineering systems and internal communications were taken offline.
It was also reported that Uber stopped its employees from using Uber’s dedicated workplace messaging app Slack and launched a probe into the incident. Here are the latest findings.
It all started when a hacker, who claimed to be an 18-years-old male, accessed Uber’s communications system after hijacking a worker’s Slack account and compromising various internal databases of the company.
The hacker blamed Uber’s weak security for successfully compromising its databases and provided screenshots of the company’s internal systems as proof of the attack.
The hacker went on to contact the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might leak soon.
Investigation Details
According to Uber, the investigation is still underway, but there was no evidence that the hacker accessed sensitive user data. Furthermore, all Uber services, including Uber Freight, Uber Eats, Uber Drive, and Uber, were fully functional on Friday. The latest update is that Uber’s internal software tools are also online.
Uber stated that it is in contact with relevant law enforcement authorities and has collaborated with the FBI for an in-depth investigation. In a tweet, the company said:
All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are now bringing back online its internal software tools. As we shared yesterday, we have notified law enforcement.”
Sensitive Data Wasn’t Exposed
On its security update page, Uber claimed that users’ personal information was safe, and there was no evidence that the hacker accessed the information. The company shared that trip history data wasn’t exposed, and all the services were up and running.
However, Uber didn’t respond to queries regarding whether the breach impacted its applications.
On the other hand, Independent security researcher Bill Demirkapi is not buying this ‘no evidence’ theory. Demirkapi believes this stance is unclear because it indicates that the attacker might have accessed the information, and Uber just hasn’t found evidence of infiltration.
Moreover, Demirkapi stated that Uber has mentioned sensitive data wasn’t exposed and refrained from using the term data. This also hints that there’s a possibility of data exposure.
That first sentence is sketchy, because “no evidence” could mean the attacker did have access, Uber just hasn’t found evidence that the attacker *used* that access for “sensitive” user data. Explicitly saying “sensitive” user data rather than user data overall is also weird. 20/N
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
Uber’s History of Rubbishing Seriousness of Security Issues
Uber is almost reaching a 100 million customer base. The company has a presence in 71 countries and 10,000 cities across the globe however its approach to hacking and security vulnerabilities has always been dismissive.
In January 2018, as reported by Hackread.com, an Indian IT security researcher Karan Saini discovered a critical security flaw in the two-factor authentication (2FA) protocol used by Uber. The flaw would allow attackers to bypass 2FA which could apparently lead them to perform a number of malicious acts.
Saini reported the bug to Uber’s bug bounty program on HackerOne, who acknowledged that there is indeed a bug in its 2FA but at the same time the company downplayed the severity of it and stated that his findings were informative but “this report contained useful information but did not warrant an immediate action or a fix.”
Uber pays cybercriminals but not to the good guys
In November 2017 reports surfaced that Uber suffered a massive security breach in October 2016 in which hackers stole private details of around 75 million of its users. In return, the company paid $100,000 to hackers to hide the breach.
For your information, in the breach, two hackers stole files containing names and license numbers of 600,000 drivers from the US and personal data such as names, email IDs and mobile phone numbers of 57 million Uber users from across the globe.
How Uber was Hacked?
How Uber was hack? That is a million dollar questions. However, Marcus Hutchins, the security researcher who protected the world from the infamous WannaCry ransomware attack claims to have the answer. Watch his latest video in which Hutchins address the Uber hack.
RELATED NEWS
- Hundreds of Uber Eats User records leaked on Dark Web
- Hacked Uber Accounts of US Based Customers Used in China
- Uber Rival Careem Hacked, 14 million customer & driver data stolen
- Uber users beware; Faketoken Android malware hits ride-sharing apps
- Ex-Uber CSO Joseph Sullivan charged over 2016 data breach cover up