Serious breach at Uber spotlights hacker social deception

The ride-hailing service Uber stated Friday that every one its offerings were operational following what security professionals are calling a first-rate facts breach, claiming there has been no evidence the hacker got get entry to to sensitive person information.

But the breach, seemingly through a lone hacker, placed the highlight on an increasingly effective break-in ordinary concerning social engineering: The hacker seemingly received get right of entry to posing as a colleague, tricking an Uber worker into surrendering their credentials.

They have been then able to discover passwords at the community that got them the extent of privileged access reserved for gadget administrators.

The capacity damage changed into extreme: Screenshots the hacker shared with safety researchers suggest they obtained complete get entry to to the cloud-primarily based systems in which Uber stores sensitive purchaser and monetary information.

It is not recognised how much data the hacker stole or how long they had been interior Uber’s network. Two researchers who communicated directly with the person — who self-recognized as an 18-yr-old to certainly one of them — said they appeared interested in publicity. There turned into no indication they destroyed statistics.“It changed into really horrific the get entry to he had. It’s lousy,” said Corbin Leo, one of the researchers who chatted with the hacker on line.

The cybersecurity network’s on line reaction — Uber additionally suffered a extreme 2016 breach — was harsh.

The hack “wasn’t state-of-the-art or complex and genuinely hinged on a couple of massive systemic safety culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which makes a speciality of an business-manipulate structures.

Leo stated screenshots the hacker shared showed the intruder got get right of entry to to systems stored on Amazon and Google cloud-based servers in which Uber continues supply code, financial records and consumer records including driver’s licenses.

“If he had keys to the kingdom he ought to begin preventing services. He may want to delete stuff. He could down load client records, alternate people’s passwords,” stated Leo, a researcher and head of business development at the safety corporation Zellic.Screenshots the hacker shared — lots of which observed their way online — showed touchy financial records and internal databases accessed. Also broadly circulating online: The hacker announcing the breach Thursday on Uber’s inner Slack collaboration system.

Leo, together with Sam Curry, an engineer with Yuga Labs who also communicated with the hacker, stated there was no indication that the hacker had finished any harm or became inquisitive about anything more than publicity.

“It’s pretty clear he’s a young hacker due to the fact he desires what ninety nine% of what younger hackers need, that is repute,” Leo said.

Curry said he spoke to several Uber personnel Thursday who said they were “running to fasten down the whole lot internally” to restriction the hacker’s get admission to. That covered the San Francisco organization’s Slack network, he said.In a announcement published online Friday, Uber stated “inner software gear that we took down as a precaution the day prior to this are coming returned on-line.”

It said all its offerings — inclusive of Uber Eats and Uber Freight — have been operational and that it had notified regulation enforcement. The FBI stated thru e-mail that it’s far “aware about the cyber incident related to Uber, and our help to the agency is ongoing.”

Uber said there was no proof that the intruder accessed “sensitive consumer records” which includes experience history however did now not reply to questions from The Associated Press along with about whether or not statistics become stored encrypted.

Curry and Leo said the hacker did no longer indicate how tons statistics changed into copied. Uber did no longer advocate any unique actions for its users, along with converting passwords.

The hacker alerted the researchers to the intrusion Thursday by means of the use of an internal Uber account on the corporation’s network used to post vulnerabilities identified through its worm-bounty program, which will pay ethical hackers to ferret out community weaknesses.

    error: Content is protected !!