Uber stated that a hacker associated with the Lapsus$ hacking group was condemned for a breach of its internal systems last week while restating that no customer or user data was compromised during the attack.
Lapsus$ is a hacking group comprehended for waging a ransomware invasion against the Brazilian Ministry of Health in December 2021, compromising the COVID-19 vaccination data of millions within the nation.
It’s also targeted several high-profile companies, stealing data from Nvidia, Samsung, Microsoft, and Vodafone. London police arrested several group members earlier this year, all teenagers.
Uber confirmed new details about the hack in its update on the violation. The company said the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s device had been infected with malware, exposing those credentials.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
The hacker then accessed several other Uber employee accounts, gradually gaining more permissions to internal company tools, including G Suite and Slack. The attacker then posted a message to a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” the company said.
The hacker ultimately announced themselves to Uber’s employees by posting a message on the company’s internal Slack system. “I announce I am a hacker, and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The alleged hacker then listed confidential company information they said they’d accessed and posted a hashtag saying that Uber underpays its drivers.
The hack, discovered last Thursday, forced the company to take several internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform.
It occurred a few days before video game maker Rockstar Games was also breached by a hacker who asserted to be the same individual who attacked Uber. Consequently, dozens of videos of the company’s unreleased Grand Theft Auto VI were leaked online. In its security update, Uber references the Rockstar Games hack but does not confirm it was the same attacker.
As the investigation continues, an enterprise is closely connected with the FBI and US Justice Department.
Uber ensured that the hacker downloaded some inner Slack messages and information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing those downloads,” the company said in a statement.
Uber responded by pushing employees and contractors whose accounts were compromised to change their passwords and banning them from specific internal systems until they had done so. It also rotated keys — effectively resetting access — many of Uber’s interior services. And it locked down its codebase, preventing any new code changes — though it claims to have not detected any changes yet.
Uber also claims that sensitive customer data, including identifying personal and financial data, is secure.
First and foremost, we’ve not seen the attacker access the production (i.e., public-facing) systems. It powers apps, any user accounts, or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering further protection.
Uber says the hacker accessed the company’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. “However, any bug reports the attacker was able to access have been remediated,” the company says.
In addition to law enforcement, Uber says it’s also working with “several leading digital forensics firms” as part of its ongoing investigation.
“We will also take this opportunity to continue strengthening our policies, practices, and technology to further protect Uber against future attacks,” the company said.