Uber was hacked by a teenager – here’s what we know so far
An 18-year-old made it into Uber’s systems. Uber is currently responding to the incident.
UPDATE 9/16/2022 1:56 PM ET: Uber has responded to the report from The New York Times. The company states that it doesn’t have evidence that sensitive date was accessed and that law enforcement has been notified. Read the original report below.
This incident is strange on so many levels. While the extent of the intrusion remains unclear, what we do know is genuinely astonishing.
Using the little information we have, we’re going to break down this incident, analyze Uber’s response, and explore any possible consequences for Uber riders.
Here’s the good news: the attacker doesn’t appear to be operating as part of some profit-driven criminal gang or a state-sponsored hacking outfit.
In fact, the hacker appears motivated by curiosity and a desire to transgress the digital defenses of the world’s most valuable taxi company.
How do we know this? First, the attacker was fairly candid about their motivations. Speaking to The New York Times, they claimed to be an 18-year-old cybersecurity enthusiast.
Why did Uber enter their crosshairs? Because the attacker claimed it “had weak security.”
Moreover, they announced their presence to Uber. After gaining access to its internal systems, the hacker posted a Slack message that read: “I announce I am a hacker and Uber has suffered a data breach.”
Real malicious actors tend to stay silent for as long as possible. Or they act decisively to cripple the company to extract a steep ransom. Neither of those things happened here.
The Slack message also called for Uber to pay its drivers more and listed several internal databases. As a final coup de grace, the attacker, according to The New York Times, posted “an explicit photo on an internal information page for employees.”
At the time of writing, Uber is yet to publish its postmortem on the security incident. That’s understandable. This story is very fresh.
We’ll have to rely on the attacker’s own testimony, and NYT’s reporting, for clarity here. According to the paper, the attacker used simple social engineering tactics.
They persuaded an employee to hand over their password by pretending to be a “corporate information technology person.”
What happened after remains murky. One NYT source claimed the attack was a “total compromise” of Uber’s systems.
But there’s a difference between a compromise and a catastrophic breach. Where an incident sits on either of those poles largely hinges on intent.
If the attacker exfiltrated huge quantities of user data and sold it, or held the company to ransom, as with the 2017 Uber hack, the incident falls into the latter category. So far, there’s no evidence of this.
The lack of any financial motive doesn’t justify what happened. But it does indicate that this hacker is just a curious teen with a scant understanding of cybersecurity law.
After compromising the employee’s account, the attacker found a Microsoft PowerShell script with hard-coded admin credentials, according to security expert Marcus Hutchins.
With these credentials, the hacker could infiltrate other parts of Uber’s IT apparatus. In the security field, this is called “lateral movement.”
Or, put another way: the attacker progressively increases their hold by compromising more systems, each providing another piece of the puzzle.
Uber is yet to clarify any impact on users. The company is yet to publish a formal announcement on its newsroom page, as is usually the case when a company experiences a breach.
In a tweet, Uber said it is investigating the incident in collaboration with law enforcement agencies.
Given that the attacker has spoken to various news agencies and wasn’t shy about hiding their presence in Uber’s network, it’s highly likely they’ll be awoken to an early morning knock on the door in the coming weeks and months.
Opsec (or ‘operational security,’ the process of hiding your actions) likely isn’t their biggest priority.
What does this mean for Uber customers?
Honestly, we don’t know. There is no definitive information about what the attacker accessed, whether they exfiltrated any data, or Uber’s policies regarding customer information.
As such, we’ll recommend you take the following steps:
- As a precaution, change your Uber password to something strong and unique. Ideally, Uber should protect passwords with hashing and salting (as explained here). If it doesn’t, or doesn’t to an adequate level, changing your password will protect your account.
- Set up two-factor authentication (MFA or 2FA)
- Delete your debit card details. Paying for Uber rides with a credit card means you can make a chargeback if an attacker hijacks your account.
KnowTechie has reached out to an Uber representative for comment. If we hear back, we’ll update this post.
UPDATE 9/20/2022 8:30 AM ET: Uber published a post on its company blog, which provides updates on what exactly happened and how they’re handling its response to its recent security incident.
The company outlines the severity of the breach, how it happened, who was responsible, and what they’re doing to mitigate the issue. The investigation is still ongoing, and the company is now working with digital forensics firms to resolve the issue.
- New TikTok hack reportedly exposes source code and user data
- LastPass reports new data breach but there’s no cause for panic
- Hacker ports iconic FPS Doom to John Deere tractor
- A new exploit lets hackers unlock any Honda made since 2012