The security breach that hit Uber last week was the work of Lapsus$, Uber said in a blog post Monday. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, and Okta.
Uber said it is in close coordination with the FBI and US Justice Department on the matter.
While the attackers accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn’t appear that the attackers accessed any customer or user data stored by its cloud providers.
Also: The future of the web will need a different sort of web developer
The hackers did download some internal messages, as well as information from an internal finance team. They also accessed Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated, Uber said.
On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The hacker then reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
The hacking group told the New York Times that they gained access to Uber’s systems through a social engineering scheme: They sent a text message to an Uber employee claiming to be a corporate IT staffer, which persuaded the staff member to reveal a password.
Also: GPS jammers are being used to hijack trucks and down drones
However, Uber clarified Monday that the hacker gained access using credentials from a third-party contractor. Furthermore, the company said it’s “likely” that the Lapsus$ hacker obtained the contractor’s Uber corporate password by purchasing it on the dark web, after the contractor’s personal device had been infected with malware.
After that, Uber said, the hacker repeatedly tried to log in to the contractor’s Uber account but was stymied by a two-factor login approval request. However, the contractor eventually accepted one of those requests. From there, the hacker obtained elevated permissions to a number of internal tools, including G-Suite and Slack.