Uber Hacked by 18-Year-Old, Source Code and Internal Communications Compromised: Report

Popular ride-hailing and mobility app Uber became the target of a wide-reaching network breach on Thursday that forced the company to take several of its internal communication channels and engineering systems offline — reports The New York Times.

The perpetrator, who claimed to be an 18-year-old and said they had been working on their cybersecurity skills for several years, sent images of internal emails, cloud storage, and code repositories to the publication and cybersecurity researchers.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed responsibility for the attack. “This is a total compromise, from what it looks like.”

What’s more, the attack vector for this comprehensive systems breach was social engineering. The person who claimed responsibility for the hack told The New York Times that they texted an Uber worker, posing as a corporate information technology person, and persuaded them to divulge a password that then allowed them access to Uber’s internal systems.

They were then able to compromise the company’s source code and internal communication systems, including Uber’s Slack channels. The hacker gained access to a worker’s Slack account and broadcasted a message that read, “I announce I am a hacker and Uber has suffered a data breach.”

Their message also listed several internal databases that they claimed had been compromised, and it also said that drivers should receive higher pay.

In addition, the perpetrator gained access to other communications systems at Uber, posting an explicit photo on an internal information page for employees.

Uber consequently took its Slack channels and other internal tools offline.

According to an internal email, Uber has launched an investigation into the breach. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” Latha Maripuri, Uber’s chief information security officer, wrote in the email.

This isn’t the first time Uber has fallen victim to a massive hack. Back in 2016, hackers stole information belonging to 57 million driver and rider accounts. The data was later ransomed for $100,000 USD.

Uber on Thursday launched its electric vehicle (EV) ridesharing program in Canada, starting with Vancouver.

Update (September 17): Since publishing, Uber has issued a statement saying there is “no evidence” of any sensitive user data being accessed or stolen as part of the hack. Uber’s investigation into the extent of the breach is still ongoing, though. The company further added that all of its services are operational, and internal systems that were taken down are now coming back online.