Uber said a hacker associated with the Lapsus$ hacking group was responsible for a breach of its internal systems last week, while reiterating that no customer or user data was compromised in the attack.
The hack, which was discovered last Thursday, forced the company to take several of its internal systems offline, including Slack, Amazon Web Services and Google Cloud Platform.
This happened days before video game maker Rockstar Games was also hacked by a hacker who claims to be the same person who attacked Uber. Dozens of never-before-seen company videos Grand Theft Auto VI were leaked online. In its security update, Uber refers to the Rockstar Games hack but does not confirm that it was the same attacker.
The company says it is in close contact with the FBI and the US Department of Justice as the investigation continues.
Uber confirmed that the hacker downloaded internal messages from Slack as well as information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing these uploads,” the company said in a statement.
Lapsus$ is a hacking group known for launching a ransomware attack on the Brazilian Ministry of Health in December 2021, compromising the COVID-19 vaccination data of millions of people in the country. It also targets a number of prominent companies, stealing data from Nvidia, Samsung, Microsoft and Vodafone. London police arrested several members of the group earlier this year, all of whom were teenagers.
In its update on the breach, Uber confirmed new details about the hack. The company said the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s personal device was infected with malware, exposing that information to identification.
“The attacker then made multiple attempts to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker logged in successfully.
(Previously, the alleged hacker claimed to have received a password allowing access to Uber’s systems from an employee of the company, whom he had tricked into posing as a company IT manager – a technique known as social engineering.)
The hacker then gained access to several other Uber employee accounts, gradually gaining more permissions for a number of the company’s internal tools, including G Suite and Slack. The attacker then posted a message on a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphical image to employees at certain internal sites,” the company said.
The hacker eventually announced himself to Uber employees by posting a message on the company’s internal Slack system. “I am announcing that I am a hacker and that Uber has suffered a data breach”, message screenshots circulating on Twitter read. The alleged hacker then listed the company’s confidential information they said they had accessed and posted a hashtag stating that Uber was underpaying its drivers.
Uber said it responded by forcing employees and contractors whose accounts had been compromised to change their passwords and blocking them from accessing certain internal systems until they had done so. It also performed key rotation – effectively resetting access – to many of Uber’s internal services. And it has locked down its own codebase, preventing any further code changes – although it claims not to have detected any changes yet.
Uber also says sensitive customer data, including personally identifiable information and financial data, is secure.
First, we did not find that the attacker gained access to the production (i.e., publicly available) systems that power our applications; all user accounts; or databases we use to store sensitive user information, such as credit card numbers, user bank account information, or travel history. We also encrypt credit card information and personal health data, providing an additional layer of protection.
Uber says the hacker accessed the company’s dashboard on HackerOne, where security researchers report bugs and vulnerabilities. “However, all bug reports that the attacker was able to access have been fixed,” the company says.
In addition to law enforcement, Uber says it is also working with “several major digital forensics firms” as part of its ongoing investigation.
“We will also take this opportunity to continue to strengthen our policies, practices and technology to further protect Uber from future attacks,” the company said.