Uber Hacked! Teenage hacker advocating driver’s rights used social engineering to gain access to Uber’s Slack & internal systems
Uber has been hacked by a teenage hacker, forcing the ride-hailing giant to take several of its internal communications and engineering systems offline as it investigated the hack. Uber announced Thursday it’s conducting investigations into what led to the hack, according to a report from The New York Times.
According to the Times, the teenager hacker advocating driver’s rights used social engineering to gain access to Uber’s internal network. A message on Uber’s internal system on Thursday told employees, “I announce I am a hacker and Uber has suffered a data breach.”
Other reports claimed the hacker used SMS phishing to gain access to Uber’s internal stack on AWS. The hacker was able to pull it off using the following method: Send SMS phish to Uber worker as IT Support, steal credentials, and then gain access to Slack (a popular messaging system), and other internal systems.
Seeing a major increase in SMS phishing. The person who claimed they just hacked Uber is saying their method was:
– Send SMS phish to Uber worker as IT Support
– Steal credentials
– Access Slack & internal systems
Thanks for chatting @kateconger @nytimeshttps://t.co/qS1A1u37DN pic.twitter.com/DYd9BmA9mO— Rachel Tobac (@RachelTobac) September 16, 2022
According to The Times, the teenage hacker claiming responsibility for the hack also sent images of the email, cloud storage, and code repositories to cybersecurity researchers and the NYT. “They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the hacker.
“This is a total compromise, from what it looks like.” Uber later sent notifications to employees against using its internal messaging service, Slack, and found that other internal systems were inaccessible. But before they took the Slack system offline, Uber employees received a message that read:
“I announce I am a hacker, and Uber has suffered a data breach.” He listed several internal databases that he claimed to compromise. Uber drivers should receive higher pay, he added.
The hacker compromised a worker’s Slack account and used it to send the message. He was 18 years old and had worked on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. The alleged hacker claimed access to Uber’s Amazon.com Inc (NASDAQ: AMZN) Amazon Web Services account, the Washington Post reports.
The hacker claimed to breach the company for fun and might leak source code “in a few months.”
According to a recent IBM study conducted by the Ponemon Institute, data breaches cost American companies on average more than $8 million per incident, with big breaches (more than 50 million records) costing $388 million.