Uber Is Looking Into Massive Security Breach As Teen Hacker Posts Sensitive Screenshots
The popular rideshare company Uber announced last evening that it was responding to a cybersecurity incident but didn’t provide any further details other than to say that the company was in contact with law enforcement. However, it didn’t take long for information regarding the incident to leak. An unknown threat actor claims to have gained unauthorized access to all of Uber’s internal third-party services.
This anonymous actor has reached out to multiple publications and cybersecurity researchers, claiming responsibility for the incident and offering information about himself and the hack. In a conversation with reporters at The New York Times, the actor identified himself as being 18 years old. He claimed to gain initial access to Uber’s internal network by conducting an MFA (multi-factor authentication) Fatigue attack against one of the company’s employees, according to tweets from by Kevin Beaumont.
The hacker spammed an Uber employee with MFA authentication requests for over an hour, then messaged the employee on WhatsApp. Claiming to be a member of Uber’s IT department, the hacker told the employee to accept the authentication request in order to stop the constant notifications. Unfortunately, the employee was fooled by this social engineering scheme and complied with the request, giving the attacker access to the employee’s company VPN.
According to Telegram messages shared by Corben Leo, the attacker connected to the VPN and scanned Uber’s internal network, revealing some powershell scripts within a network share. The powershell scripts contained login credentials for the company’s Thycotic admin account, Thycotic being a Privileged Access Management (PAM) platform. The hacker used these credentials to login to Thycotic and extract the secret keys for all connected Uber services.
This anonymous actor has reached out to multiple publications and cybersecurity researchers, claiming responsibility for the incident and offering information about himself and the hack. In a conversation with reporters at The New York Times, the actor identified himself as being 18 years old. He claimed to gain initial access to Uber’s internal network by conducting an MFA (multi-factor authentication) Fatigue attack against one of the company’s employees, according to tweets from by Kevin Beaumont.
The hacker spammed an Uber employee with MFA authentication requests for over an hour, then messaged the employee on WhatsApp. Claiming to be a member of Uber’s IT department, the hacker told the employee to accept the authentication request in order to stop the constant notifications. Unfortunately, the employee was fooled by this social engineering scheme and complied with the request, giving the attacker access to the employee’s company VPN.
According to Telegram messages shared by Corben Leo, the attacker connected to the VPN and scanned Uber’s internal network, revealing some powershell scripts within a network share. The powershell scripts contained login credentials for the company’s Thycotic admin account, Thycotic being a Privileged Access Management (PAM) platform. The hacker used these credentials to login to Thycotic and extract the secret keys for all connected Uber services.
The attacker has posted screenshots showing evidence of unauthorized access to Uber’s AWS instance, HackerOne bug bounty tracker, SentinalOne administration panel, Slack workspace, VMware vSphere virtualization platform, Google workspace, and financial data. He also claims to have accessed Uber’s Duo two-factor authentication service, Confluence workspace, and two monorepos from the company’s Phabricator development suite.
Uber’s HackerOne bug bounty tracker has been disabled, presumably in response to the hack, but this action was likely taken too late. The hacker appears to have accessed all of the company’s bug bounty tickets, evidenced by “UBER HAS BEEN HACKED” comments left on every ticket. He also left a message in the company’s Slack workspace announcing the hack, but Uber employees apparently didn’t take this message seriously at first. According to unnamed Uber employees who spoke with Sam Curry, the company’s staff took the message as a joke and mocked the hacker, even after Uber sent an urgent notice to its employees telling them to stop using Slack.
While Uber is still investigating and responding to the incident, its preliminary investigation has revealed no evidence that “sensitive user data” was accessed by the hacker. The company also reports that all of its services are currently operational and its internal software tools are coming back online.
Uber’s HackerOne bug bounty tracker has been disabled, presumably in response to the hack, but this action was likely taken too late. The hacker appears to have accessed all of the company’s bug bounty tickets, evidenced by “UBER HAS BEEN HACKED” comments left on every ticket. He also left a message in the company’s Slack workspace announcing the hack, but Uber employees apparently didn’t take this message seriously at first. According to unnamed Uber employees who spoke with Sam Curry, the company’s staff took the message as a joke and mocked the hacker, even after Uber sent an urgent notice to its employees telling them to stop using Slack.
While Uber is still investigating and responding to the incident, its preliminary investigation has revealed no evidence that “sensitive user data” was accessed by the hacker. The company also reports that all of its services are currently operational and its internal software tools are coming back online.
