Cyber Security

Uber’s hacker *irritated* his method into its community, stole inner paperwork • Graham Cluley

Uber has suffered a safety breach which allowed a hacker to interrupt into its community, and entry the corporate’s inner paperwork and programs.

The incident, confirmed by the corporate in a tweet, and reported by the New York Occasions, left Uber instructing workers to not use its inner Slack messaging system, and resulted in different programs being made inaccessible.

The hacker, who has shared screenshots of inner Uber programs to verify his unauthorised entry, claims to be 18-years-old. He says that he merely – having already decided a sound username and password – tricked an Uber employees member into granting him entry to inner programs by bombarding them with a spate of multi-factor authentication (MFA) push notifications.

So-called “MFA fatigue assaults” repeatedly spam push notifications to victims till the person is so overwhelmed/irritated/fed-up that they merely grant entry to cease them.

Signal as much as our publication
Safety information, recommendation, and ideas.

Having gained entry through the socially-engineered worker to Uber’s VPN, the hacker is stated to have scanned the corporate’s community, and located a PowerShell script containing hardcoded (doh!) credentials for a Thycotic PAM admin account, which then helped unlock entry to lots of Uber’s inner programs.

Uber’s safety group can’t be feeling too good proper now, and the hacker poured salted into the wound by posting a message on the corporate’s Slack asserting that the agency had been breached.

Hello @right here

I announce i’m a hacker and uber has suffered an information breach.

Slack has been stolen, confidential knowledge with Confluence, stash and a couple of monorepos from phabricator have additionally been stolen, together with secrets and techniques from sneakers.


The reality is, in fact, that many many different firms are most likely liable to falling for the same trick, and should properly have employees who’ve made the error of hardcoding login credentials into their PowerShell scripts.

Sadly, some employees assumed the message posted by the hacker was a joke.

Many MFA suppliers permit permission to be granted by receiving a telephone name and urgent a key, or accepting a cell app push notification. Though this may be handy, hackers can subject a number of MFA requests till their request is lastly accepted.

Because the LAPSUS$ hacking gang, one other group which has exploited MFA fatigue, has beforehand defined:

Signin with password will subject MFA by means of a telephone name or authentication app. Nonetheless no restrict is positioned on the quantity of calls that may be made, name the worker 100 occasions at 1am whereas he’s making an attempt to sleep and he’ll greater than possible settle for it.

Multi-factor authentication is mostly a superb further degree of safety to have in place, however it could’t be carried out in isolation to different safety measures, and it must also be fastidiously configured to maximise the extent of safety it could convey.

Discovered this text attention-grabbing? Comply with Graham Cluley on Twitter to learn extra of the unique content material we put up.

Graham Cluley is a veteran of the anti-virus trade having labored for a lot of safety firms because the early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he often makes media appearances and is an worldwide public speaker on the subject of pc safety, hackers, and on-line privateness.

Comply with him on Twitter at @gcluley, or drop him an electronic mail.

What's your reaction?

Leave A Reply

Your email address will not be published.