Thursday, September 15, 2022, could have been a typical day for Uber employees. However, what employees thought was a joke at first will turn the day upside down for the company.
“I announce i am a hacker and uber has suffered a data breach.” begins the message received by employees on the Slack application, used to communicate internally and with Uber partners. The sender also claimed to have had access to certain services used by the company such as Slack, Confluence, and Phabricator.
On the evening of the same day, Uber confirmed that it was responding to a cybersecurity incident, that it was in touch with law enforcement, and that it will post additional updates later.
The next day, Uber said it had no evidence that sensitive user data was affected by the attack. But it quickly turned out that the problem was deeper than Uber claimed.
The hacker shared, a few hours later, screenshots that prove, according to cybersecurity experts, the extent of the computer security disaster facing the company. Internal systems, confidential financial data, and company AWS accounts were compromised.
The hacker described Uber’s security system as awful, and that he attacked it, being 18 and working alone, for fun. He explained that he managed to hack into Uber’s systems by sending several notifications to an internal target, an employee of the company, asking them to log in with multi-factor authentication. He then contacted the target via WhatsApp, claiming to be an agent from the Uber IT department, and suggested that they log in as requested for the notifications to stop.
This represents a social engineering technique, called MFA fatigue, in which an attacker who has a victim’s username and password, generates a series of authentication requests on the victim’s device in the hope that the latter loses patience and accepts the connection. Once the connection is accepted, the hacker’s device adds itself to the trusted list and can be used to log into the victim’s account.
The Uber hacker gained access to PowerShell and came across a script containing encrypted login credentials for the Thycotic privilege manager. Having control over this account, the attacker gained access to the company’s cloud services, including the Amazon AWS cloud services control panels, the Google Workspace enterprise service, and the OneLogin identity, and access management service, as well as some sensitive information (the company’s internal financial statements, among others).
This type of incident reminds us that no organization, including the largest and best-resourced ones, is immune to cybersecurity threats. This is not the first time that Uber has suffered breaches of this extent, the most famous was that of 2016. Companies are increasingly targeted by cyber attacks, but data leaks are not always treated with transparency.
One can’t help but wonder why companies seem to be so vulnerable to hacking. Do they take cybersecurity lightly? We can’t say they’re lacking in resources after all. And if the biggest companies are not able to protect themselves, how would the small companies do it then?