Uber Suffers Data Hemorrhage Of Unknown Severity

Uber suffered a massive data breach, at this point the full extent of the breach is unknown, however, the alleged hacker has come forward to state that it was a complete compromise.

By Kristi Eckert | Published

This article is more than 2 years old

Uber has suffered a data breach of unknown scale allegedly at the hands of a hacker. The company has asserted that they are currently investigating the extent of the leak. However, the New York Times reported that the hack likely resulted in a full compromise of Uber’s internal systems and networks. 

Sam Curry, who works as a security engineer at Yuga Labs, told the New York Times that based on the communication he’s had with the alleged hacker, the person seems to have full reign of Uber and all of its most sensitive information. This was further corroborated by pictures and information that Uber’s supposed perpetrator sent to the Times. 

At this point, Uber has not been very forthcoming with any details relating to the systems’ compromise that they have been able to gather thus far. The company has merely asserted that the matter is under investigation and is currently working with law enforcement. However, based on employee accounts not sanctioned by the company, the hacker was able to infiltrate the company using Slack. 

According to the employees familiar with the situation, the hacker was able to gain access to Slack by convincing an employee that they worked in Uber’s IT department. Once gaining access via the employee’s credentials they were able to execute a systems-wide hack. Essentially, they used their social prowess combined with their hacking skills to accomplish their infiltration goals. 

Rachel Tobac, the chief executive of SocialProof Security, highlighted that instances of hackers leveraging social interaction to complete their exploits have been increasing exponentially in recent years. “These types of social engineering attacks to gain a foothold within tech companies have been increasing,” Tobac continued, “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”

uber hacker

Tobac pointed out that, like Uber, Twitter, and even Microsoft suffered debilitating hacks as a result of cybercriminals gaining access via social means. In Microsoft’s case, it was at the hands of a teenager. “We are seeing that attackers are getting smart and also documenting what is working,” said Tobac. Interestingly though, this is not the first time that Uber has suffered a massive breach. 

In 2016, Uber paid a ransom of $100,000 to a hacker that was able to retrieve an immense amount of personal information from tens of millions of driver and user accounts. It’s something that the company held close to its chest for about a year, before ultimately admitting that the hack had indeed happened. Uber’s lack of transparency in that situation is a debatable tactic, to say the least. 

Thankfully this time around the company has let the public know that a hack did take place. Although had the hacker not gone to the press, it remains unclear if they still would have said anything. Regardless, it is unsettling to think that Uber is still trying to determine the full breadth of what the hacker siphoned from the company. 

Latha Maripuri, Uber’s current chief information security officer, sent an email out to employees that essentially stated that the team is working on the issue but at this point does not have a timeframe when things will be fully back to normal. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” read a portion of the email.