---
title: "A Young Hacker Unleashes Social Engineering Attack on Uber | DuoCircle"
description: "As evident from the recent Okta, Microsoft, and Twitter breaches, young hackers with sophisticated tools and plenty of time can persuade even the most aware."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/"
---

Quick Answer

In September 2022 an 18 year old social-engineered an Uber employee by SMS, posed as IT, and obtained credentials that gave access to Slack, AWS console, Google Workspace admin, and the HackerOne bug bounty account, where vulnerability reports may have been viewed. Uber froze Slack while law enforcement investigated.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fa-young-hacker-unleashes-social-engineering-attack-on-uber%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=A%20Young%20Hacker%20Unleashes%20Social%20Engineering%20Attack%20on%20Uber&url=undefined%2Fblog%2Femail-security%2Fa-young-hacker-unleashes-social-engineering-attack-on-uber%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fa-young-hacker-unleashes-social-engineering-attack-on-uber%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fa-young-hacker-unleashes-social-engineering-attack-on-uber%2F&title=A%20Young%20Hacker%20Unleashes%20Social%20Engineering%20Attack%20on%20Uber "Share on Reddit") [ ](mailto:?subject=A%20Young%20Hacker%20Unleashes%20Social%20Engineering%20Attack%20on%20Uber&body=Check out this article: undefined%2Fblog%2Femail-security%2Fa-young-hacker-unleashes-social-engineering-attack-on-uber%2F "Share via Email") 

![Social Engineering Attack](https://media.mailhop.org/duocircle/images/2022/09/dkim-selector-3031.jpg) 

_As evident from the recent Okta, Microsoft, and Twitter breaches, young hackers with sophisticated tools and plenty of time can persuade even the most aware employees into making cybersecurity mistakes. Another such attack came to light recently that targeted Uber, the ride-hailing and food delivery app._

The New York Times [reported](https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html) that Uber suffered a systems breach, and its employees could not access internal tools like Slack. The hacker posted **‘a not safe for work’** image on one employee resource page. A security engineer and bug bounty hunter not involved in the hack posted a comment attributed to an Uber employee, who wanted to remain anonymous, which claims:

> “We were advised to stop using Slack, and anytime I requested a website, I ended up on a page with a pornographic image with the message ‘f\*\*\* you wankers.’”

Another bug bounty hunter tweeted a screenshot, with the #uberunderpaisdrives hashtag, allegedly from the hacker, which states, ” Uber has suffered a [data breach](/email-security/how-to-respond-to-an-email-security-or-data-breach/), and I announce I am the hacker. Slack is stolen…”

## How Did the Threat Actor Get into Uber Systems?

The New York Times reported that the attacker claiming responsibility for the hack gained access through [social engineering](https://www.tessian.com/blog/examples-of-social-engineering-attacks/).

- The attacker sent a text message to an Uber worker claiming he was a company tech employee.
- He persuaded the victim to hand over the password that gave him access to the Uber network.
- _Social engineering is a common hacking strategy because humans are the weakest link in a network._
- Malicious actors used a similar technique in 2020 to hack Twitter.

The Times said the attacker is 18 years old and said he broke in because Uber had **weak security**. The Slack message announcing the breach also included the attacker saying the Uber drivers must receive higher pay.

## What Does Uber Say About The Hack?

> Uber’s official statement on Twitter read: “We are currently responding to a cybersecurity incident. We are in contact with the **law enforcement agencies** and will post updates here if there are any.”

According to a New York Times report, the hacker told them he was 18 years old and attacked the Uber information systems because it had weak security. He further claimed that he carried out the social engineering of an Uber employee and obtained his **login credentials**.

Uber froze all Slack communications while it was investigating the hacker’s claims. Meanwhile, the customers said Uber’s food delivery and ride-hailing services were operating normally worldwide.

[![hackers](https://media.mailhop.org/duocircle/images/2022/09/dkim-validation-2030.jpg)](https://media.mailhop.org/duocircle/images/2022/09/dkim-validation-2030.jpg)

## Hackers Could Have Stolen Uber Security Vulnerability Reports

Bleeping Computer is apparently [in contact](https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/) with the alleged hacker who has shown them screenshots with access to **“critical Uber IT systems,”** including Amazon Web Services console, security software, Google Workspace admin dashboard, and Uber’s Slack server. It also appears the attacker gained access to Uber’s HackerOne bug bounty account, leaving comments on various report tickets.

It is one of the most valuable resources from the hacker’s perspective because it is likely that Uber’s **vulnerability reports** got downloaded. Marten Mickos, HackerOne CEO, said that the Uber account was locked down, and they are offering assistance to Uber in the investigation.

## Earlier Uber Hacks

Uber had a close stint with hackers before when, in 2016, it paid $148 million for settling claims regarding a large-scale data breach. The breach exposed the personal information of about 25 million US users. The New York Times mentioned the latest hack on **Thursday, September 15, 2022**.

## How to Protect Against Such Attacks?

Since many users are using Uber’s ride-sharing and food delivery applications, cybercriminals get attracted to its databases because of the quality and **amount of data they hold**. If malicious actors can access sensitive information like login credentials or payment details, they can greatly damage the **business prospects** of such organizations. Outlined below are some steps organizations and employees can take to protect themselves:

**_For Organizations And App Developers:_**

- Secure the code and make it tough to break while keeping it easy to patch and update.
- _Encrypt the data and ensure the authentication keys are not easily accessible._
- Be extra vigilant when using third-party libraries. Developers must maintain control over internal repositories and test them before use during acquisition.
- Use authorized APIs, as unauthorized APIs are loosely coded and can unintentionally grant permissions to unauthorized users.
- Use **high-level authentication**, or ensure that the apps accept strong, alphanumeric passwords which users must renew after a few months.
- Use a multi-factor (a combination of one-time and static password) or biometric authentication (fingerprint or retina scan) for more sensitive apps.
- Put a [firewall](https://www.checkpoint.com/cyber-hub/network-security/what-is-firewall/) around your network, which is an effective way to defend your systems from any cyber attack. A firewall will block any brute-force attempts made on your systems or network before they do any damage.
- Use threat modeling, penetration testing, and emulators to test apps. **Fix issues through patches** or updates when required.

**_For Customers/ Employees:_**

- **_Check the source:_** Don’t trust a communication blindly; take a moment to think about where it originated.
- **_Ask Questions:_** Does the source have the information you expect them to have, like your full name, etc.? You must remember if a bank is messaging, they must have all of your data, and they will always ask security questions to allow you to make crucial changes to your account. Thus, if they don’t have your data, there are chances it is a **fake email/call/message**, and you should be wary.
- **_Break the loop:_** Threat actors use social engineering to create a sense of urgency. They hope their targets will not try and guess what is going on. So, take time to think about these attacks, and you can avoid becoming an easy victim.
- **_Use a good spam filter:_** Alter the settings of your email program if it is not marking emails as suspicious or **filtering out spam**.
- **_Don’t go too fast:_** You must be extremely careful when you feel a sense of urgency in the conversation. It is a standard way for cybercriminals to stop their targets from thinking through the issue.

[![ cybersecurity ](https://media.mailhop.org/duocircle/images/2022/09/what-is-dkim-selector-2029.jpg)](https://media.mailhop.org/duocircle/images/2022/09/what-is-dkim-selector-2029.jpg)

## Final Words

Various services offered by **ride-sharing applications** like Uber require key information like payment details and the real-time location of the rider. While the information is necessary to facilitate a smooth ride, it risks riders’ information if hackers access it. It is not confirmed if malicious actors accessed customer data in the Uber breach. Yet, it is a **wake-up call** for organizations and customers who must understand that a [cybersecurity](/) posture is as strong as its weakest link, the human factor.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 7m  10 Crucial Tips that Will Help You Avoid Spam Filters and Send Better Emails  Feb 14, 2023 ](/blog/email-security/10-crucial-tips-that-will-help-you-avoid-spam-filters-and-send-better-emails/)[  Email Security 9m  7 Best Ways to Prevent Fraud Before It’s Too Late  Jul 28, 2022 ](/blog/email-security/7-best-ways-to-prevent-fraud-before-its-too-late/)[  Email Security 10m  7 Email Security Risks Facing Small Business Owners and How to Defend Against Them  Feb 7, 2023 ](/blog/email-security/7-email-security-risks-facing-small-business-owners-and-how-to-defend-against-them/)[  Email Security 9m  7 Tips to Reinforce Your Business Email Security  Nov 9, 2022 ](/blog/email-security/7-tips-to-reinforce-your-business-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"A Young Hacker Unleashes Social Engineering Attack on Uber","description":"As evident from the recent Okta, Microsoft, and Twitter breaches, young hackers with sophisticated tools and plenty of time can persuade even the most aware.","url":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/","datePublished":"2022-09-28T16:23:39.000Z","dateModified":"2025-04-09T15:13:39.000Z","dateCreated":"2022-09-28T16:23:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/"},"articleSection":"email-security","keywords":"News, Security, Updates","wordCount":1078,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/09/dkim-selector-3031.jpg","caption":"Social Engineering Attack","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"A Young Hacker Unleashes Social Engineering Attack on Uber","item":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"A Young Hacker Unleashes Social Engineering Attack on Uber","item":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"A Young Hacker Unleashes Social Engineering Attack on Uber","description":"As evident from the recent Okta, Microsoft, and Twitter breaches, young hackers with sophisticated tools and plenty of time can persuade even the most aware.","url":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/","datePublished":"2022-09-28T16:23:39.000Z","dateModified":"2025-04-09T15:13:39.000Z","dateCreated":"2022-09-28T16:23:39.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/a-young-hacker-unleashes-social-engineering-attack-on-uber/"},"articleSection":"email-security","keywords":"News, Security, Updates","wordCount":1078,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2022/09/dkim-selector-3031.jpg","caption":"Social Engineering Attack","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```