Cyber Security

Uber Claims No Delicate Information Uncovered in Newest Breach… However There’s Extra to This

Uber, in an replace, mentioned there may be “no proof” that customers’ personal info was compromised in a breach of its inside laptop techniques that was found late Thursday.

“We now have no proof that the incident concerned entry to delicate consumer knowledge (like journey historical past),” the corporate mentioned. “All of our providers together with Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”

The ride-hailing firm additionally mentioned it is introduced again on-line all the inner software program instruments it took down beforehand as a precaution, reiterating it is notified legislation enforcement of the matter.

It is not instantly clear if the incident resulted within the theft of every other info or how lengthy the intruder was inside Uber’s community.

Uber has not supplied extra specifics of how the incident performed out past saying its investigation and response efforts are ongoing. However unbiased safety researcher Invoice Demirkapi characterised Uber’s “no proof” stance as “sketchy.”

“‘No proof’ might imply the attacker did have entry, Uber simply hasn’t discovered proof that the attacker *used* that entry for ‘delicate’ consumer knowledge,” Demirkapi mentioned. “Explicitly saying “delicate” consumer knowledge quite than consumer knowledge general can also be bizarre.”


The breach allegedly concerned a lone hacker, an 18-year-old teenager, tricking an Uber worker into offering account entry by social engineering the sufferer into accepting a multi-factor authentication (MFA) immediate that allowed the attacker to register their very own gadget.

Upon gaining an preliminary foothold, the attacker discovered an inside community share that contained PowerShell scripts with privileged admin credentials, granting carte blanche entry to different important techniques, together with AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack.

Worryingly, as revealed by safety researcher Sam Curry, the teenager hacker can also be mentioned to have gotten maintain of privately disclosed vulnerability reviews submitted through HackerOne as a part of Uber’s bug bounty program.

HackerOne has since moved to disable Uber’s account, however the unauthorized entry to unpatched safety flaws within the platform might pose an enormous safety threat to the San Francisco-based agency ought to the hacker choose to promote the data to different menace actors for a fast revenue.

Uber Hack
Uber Hack
Uber Hack
Uber Hack

Up to now, the attacker’s motivations behind the breach are unclear, though a message posted by the hacker saying the breach on Slack included a name for larger pay for Uber’s drivers.

A separate report from The Washington Publish famous that the attacker broke into the corporate’s networks for enjoyable and may leak the corporate’s supply code in a matter of months, whereas describing Uber’s safety as “terrible.”

“Many occasions we solely discuss APTs, like nation states, and we overlook about different menace actors together with disgruntled staff, insiders, and like on this case, hacktivists,” Ismael Valenzuela Espejo, vp of menace analysis and intelligence at BlackBerry, mentioned.

“Organizations ought to embrace these as a part of their menace modeling workout routines to find out who might have a motivation to assault the corporate, their talent stage and capabilities, and what the affect may very well be based on that evaluation.”

The assault concentrating on Uber, in addition to the latest string of incidents towards Twilio, Cloudflare, Cisco, and LastPass, illustrates how social engineering continues to be a persistent thorn within the flesh for organizations.


It additionally exhibits that each one it takes for a breach to happen is an worker to share their login credentials, proving that password-based authentication is a weak hyperlink in account safety.

“As soon as once more, we see that an organization’s safety is simply nearly as good as their most weak staff,” Masha Sedova, co-founder and president of Elevate Safety, mentioned in a press release.

“We have to assume past generic coaching, as an alternative let’s pair our riskiest staff with extra particular protecting controls. So long as we proceed to deal with cybersecurity as solely a technical problem, we’ll proceed to lose this battle,” Sedova added.

Incidents like these are additionally proof that Time-based One Time Password (TOTP) codes – usually generated through authenticator apps or despatched as SMS messages – are insufficient at securing 2FA roadblocks.

One method to counter such threats is the usage of phishing-resistant FIDO2-compliant bodily safety keys, which drops passwords in favor of an exterior {hardware} gadget that handles the authentication.

“MFA suppliers ought to *by default* robotically lock accounts out quickly when too many prompts are despatched in a brief time frame,” Demirkapi mentioned, urging organizations to restrict privileged entry.

What's your reaction?

Leave A Reply

Your email address will not be published.