Uber reportedly has suffered another massive security incident, which is likely more extensive than its 2016 data breach and potentially may have compromised its entire network. It also can result in access logs being deleted or altered.
A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP).
“The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”
Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline.
The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak.
With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface.
It was not known, though, how the hacker was able to circumvent the two-factor authentication after obtaining the employee’s password, Reed noted.
“This looks bad,” he said, noting that it was likely hackers now could access whatever data Uber had.
Asked if the impact was similar or potentially greater than Uber’s 2016 data breach, Reed told ZDNET the latest compromise was certainly large and “as big as it could be”. Every system Uber operated might have been compromised, he said.
While it was unclear what data the ride-sharing company retained, he noted that whatever it had most likely could be accessed by the hacker, including trip history and addresses.
Given that everything had been compromised, he added that there also was no way for Uber to confirm if data had been accessed or altered since the hackers had access to logging systems. This meant they could delete or alter access logs, he said.
In the 2016 breach, hackers infiltrated a private GitHub repository used by Uber software engineers and gained access to an AWS account that managed tasks handled by the ride-sharing service. It compromised data of 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.
Uber later was found to have concealed the breach for more than a year, even resorting to paying off hackers to delete the information and keep details of the breach quiet. The ride-sharing company in 2018 reached a $148 million settlement to pay $148 million over the breach and coverup, with the monies distributed across the US.