September 27, 2022

– Advertisement –

Uber said on Thursday it is investigating a cybersecurity incident, following reports that the ride-hailing company was hacked.

– Advertisement –

“We are currently responding to a cybersecurity incident,” Uber said in a statement on Twitter. “We are in contact with law enforcement and will post additional updates here as they become available.”

A hacker gained control of Uber’s internal systems after an employee’s Slack account was compromised new York Times, who says he contacted the attacker directly. Workplace messaging service Slack is used by many tech companies and startups for everyday communication. According to several reports, Uber has now disabled its Slack.

– Advertisement –

Uber shares fell 5 percent on Friday after news of the hacking.

After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker accessed other internal databases, the Times reported. In a Slack message, the hacker wrote: “I declare that I am a hacker and that Uber has suffered a data breach.”

a separate report from Washington Postsaid the alleged attacker told the newspaper that he breached Uber for entertainment and could leak the company’s source code within a few months.

The Post, citing two people familiar with the matter, reported that employees initially thought the attack was a joke and responded to Slack messages with emoji and GIFs of the alleged hacker.

Screenshots shared on Twitter show that the hacker also took over Uber’s Amazon Web Services and Google Cloud accounts, and gained access to internal financial data.

CNBC was unable to independently verify the information. Uber declined to comment beyond its statement posted on Twitter.

See also  Uber and Lyft drivers net less than $7 an hour after California law passed, driver-led study finds

While it’s not yet entirely clear how Uber’s systems were compromised, cybersecurity researchers said initial reports indicate the hackers abandoned sophisticated hacking techniques in favor of social engineering. This is where criminals fall prey to people’s credentials and inexperience to gain access to corporate accounts and sensitive data.

“It’s a very low bar for an penetration attack,” said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf. “Given the access they have obtained, I am surprised that the attacker did not attempt a ransom or extortion, it is as if they did it ‘for the lulz’.”

“This is proof once again that often the weakest link in your security defense is the human being,” McShane said.

Sam Curry, a self-described “bug bounty hunter,” said he had been in contact with the alleged Uber hacker and claimed the targeted employee was involved in incident response. Curry said this means the hacker is likely to have “initially advanced access.” Bug bounties are rewards given by companies to hackers for discovering software vulnerabilities.

“To my understanding, the attacker had the keys to the state after obtaining an internal file with the credentials of almost everything,” he said. Curry works as a security engineer for crypto startup Yug Labs and says he spoke with the hacker through Telegram, an instant messaging platform.

News of the attack comes as former Uber security chief, Joe Sullivan, is on trial over a 2016 breach in which the records of 57 million users and drivers were stolen. In 2017, the company admitted to concealing the attack and, the following year, paid $148 million in settlements with 50 US states and Washington, DC.

See also  DOJ is changing the way it prosecutes companies, and it could put more executives in jail

Uber has attempted to clean up its image in 2017 following the exit of Travis Kalanick, the controversial former CEO who founded the company in 2009. But scandals and controversies from Kalanick’s turbulent tenure continued to haunt the firm.

In July, Guardian Thousands of documents were reported leaked detailing how Uber entered cities around the world, even if it meant breaking local laws. In one instance, former CEO Travis Kalanick said that “violence guarantees success” after being confronted by other executives about concerns for the safety of Uber drivers sent to protests in France.

In response to The Guardian’s reporting at the time, Uber said the incidents were related to “past behavior” and “not in line with our current values.”