20 September 2022

Uber blames Lapsus$-linked hackers for the recent breach


Uber blames Lapsus$-linked hackers for the recent breach

Uber has posted an update on the recent breach, in which it said that a hacker affiliated with Lapsus$, a data extortion gang that has targeted tech firms like Microsoft, Samsung and T-Mobile, was responsible for the hack. The same group may have been behind the breach of video game maker Rockstar Games over the weekend.

The incident that took place last week forced the ride-hailing company to temporarily shut down its internal communications and engineering systems. Furthermore, the attacker behind the hack posted several screenshots demonstrating Uber’s AWS instance, HackerOne administration panel and other critical IT systems, suggesting that the company was completely compromised.

Now, Uber has shared more details on the breach and, according to the company, the intruder gained access to its network through a compromised account of an Uber EXT contractor, a corporate password to which the attacker likely purchased on the dark web “after the contractor’s personal device had been infected with malware, exposing those credentials.” From there, the hacker accessed several other employee accounts and gained elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

The company says it found no evidence that the attacker accessed any user accounts or made changes to Uber’s codebase. There was also no indication that the production systems that power Uber apps, or the databases that store sensitive info, such as credit card numbers, user bank account info, or trip history were compromised. Uber admitted that the hacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool its finance team uses to manage some invoices.

“The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated,” Uber said.

In response to the attack Uber blocked compromised employee accounts, temporarily disabled tools and reset access to services. It also added additional monitoring for unusual activity.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024