Uber has posted an update on the recent breach, in which it said that a hacker affiliated with Lapsus$, a data extortion gang that has targeted tech firms like Microsoft, Samsung and T-Mobile, was responsible for the hack. The same group may have been behind the breach of video game maker Rockstar Games over the weekend.
The incident that took place last week forced the ride-hailing company to temporarily shut down its internal communications and engineering systems. Furthermore, the attacker behind the hack posted several screenshots demonstrating Uber’s AWS instance, HackerOne administration panel and other critical IT systems, suggesting that the company was completely compromised.
Now, Uber has shared more details on the breach and, according to the company, the intruder gained access to its network through a compromised account of an Uber EXT contractor, a corporate password to which the attacker likely purchased on the dark web “after the contractor’s personal device had been infected with malware, exposing those credentials.” From there, the hacker accessed several other employee accounts and gained elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
The company says it found no evidence that the attacker accessed any user accounts or made changes to Uber’s codebase. There was also no indication that the production systems that power Uber apps, or the databases that store sensitive info, such as credit card numbers, user bank account info, or trip history were compromised. Uber admitted that the hacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool its finance team uses to manage some invoices.
“The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated,” Uber said.
In response to the attack Uber blocked compromised employee accounts, temporarily disabled tools and reset access to services. It also added additional monitoring for unusual activity.
