Ride-hailing company confirms attack after hacker compromises Slack app and messages employees
Uber has been hacked in an attack that appears to have breached the ride-hailing company’s internal systems.
The California-based company confirmed it was responding to a “cybersecurity incident”, after the New York Times reported that a hack had accessed the company’s network and forced it to take several internal communications and engineering systems offline. The hacker claimed to be 18 years old, according to the report.
Uber confirmed that there are no issues with the company’s service, which operates in more than 10,000 cities around the world.
A hacker compromised the employee workplace messaging app Slack and used it to send a message to Uber employees announcing that it had suffered a data breach.
Sam Curry, a senior engineer at non-fungible token creator Yuga Labs, said he was contacted by the Uber hacker on the HackerOne platform and had been shown “very convincing” screenshots of full administrative access to Uber’s cloud services.
“From my understanding, the attacker had keys to the kingdom after obtaining an internal file with credentials to nearly everything,” Curry told the Guardian. He added: “Based on the screenshots and my understanding of the hack, they likely had access to read/modify the cloud services which run Uber and store user information.”
The company has been hacked before. Its former chief security officer, Joseph Sullivan, is on trial on allegations he arranged to pay hackers $100,000 as part of an attempt to cover up a 2016 attack in which the personal information of about 57 million customers and drivers was stolen.
Alan Woodward, a professor of cybersecurity at Surrey University, said: “As the hacker does appear to have such high-level access it’s also going to be difficult for Uber to know they have managed to remove the hacker from the network. It could mean a major rebuild of their systems, which will cause serious disruption.”
It appeared the hacker was able to gain access to other internal company systems, posting an explicit photo on an internal information page for employees, according to the New York Times. “We are in touch with law enforcement and will post additional updates here as they become available,” Uber said in the tweet confirming the attack.
The Slack system was taken offline on Thursday afternoon by Uber after employees received the message from the hacker.
“I announce I am a hacker and Uber has suffered a data breach,” the message read, going on to list several internal databases that were claimed to be compromised, the report added.
The New York Times reported that the person who claimed responsibility for the hack said they gained access through social engineering, a term for tricking an employee into granting access.
The hacker sent a text message to an Uber worker claiming to be a company tech employee and persuaded the worker to hand over a password that gave them access to the network. The hacker, who had provided a Telegram account address, said they broke in because the company had weak security, according to the report.
Staff at the company were instructed to not use Slack. Other internal systems, too, were reportedly inaccessible.