As evident from the recent Okta, Microsoft, and Twitter breaches, young hackers with sophisticated tools and plenty of time can persuade even the most aware employees into making cybersecurity mistakes. Another such attack came to light recently that targeted Uber, the ride-hailing and food delivery app.
The New York Times reported that Uber suffered a systems breach, and its employees could not access internal tools like Slack. The hacker posted ‘a not safe for work’ image on one employee resource page. A security engineer and bug bounty hunter not involved in the hack posted a comment attributed to an Uber employee, who wanted to remain anonymous, which claims:
“We were advised to stop using Slack, and anytime I requested a website, I ended up on a page with a pornographic image with the message ‘f*** you wankers.'”
Another bug bounty hunter tweeted a screenshot, with the #uberunderpaisdrives hashtag, allegedly from the hacker, which states, ” Uber has suffered a data breach, and I announce I am the hacker. Slack is stolen…”
How Did the Threat Actor Get into Uber Systems?
The New York Times reported that the attacker claiming responsibility for the hack gained access through social engineering.
- The attacker sent a text message to an Uber worker claiming he was a company tech employee.
- He persuaded the victim to hand over the password that gave him access to the Uber network.
- Social engineering is a common hacking strategy because humans are the weakest link in a network.
- Malicious actors used a similar technique in 2020 to hack Twitter.
The Times said the attacker is 18 years old and said he broke in because Uber had weak security. The Slack message announcing the breach also included the attacker saying the Uber drivers must receive higher pay.
What Does Uber Say About The Hack?
Uber’s official statement on Twitter read: “We are currently responding to a cybersecurity incident. We are in contact with the law enforcement agencies and will post updates here if there are any.”
According to a New York Times report, the hacker told them he was 18 years old and attacked the Uber information systems because it had weak security. He further claimed that he carried out the social engineering of an Uber employee and obtained his login credentials.
Uber froze all Slack communications while it was investigating the hacker’s claims. Meanwhile, the customers said Uber’s food delivery and ride-hailing services were operating normally worldwide.
Hackers Could Have Stolen Uber Security Vulnerability Reports
Bleeping Computer is apparently in contact with the alleged hacker who has shown them screenshots with access to “critical Uber IT systems,” including Amazon Web Services console, security software, Google Workspace admin dashboard, and Uber’s Slack server. It also appears the attacker gained access to Uber’s HackerOne bug bounty account, leaving comments on various report tickets.
It is one of the most valuable resources from the hacker’s perspective because it is likely that Uber’s vulnerability reports got downloaded. Marten Mickos, HackerOne CEO, said that the Uber account was locked down, and they are offering assistance to Uber in the investigation.
Earlier Uber Hacks
Uber had a close stint with hackers before when, in 2016, it paid $148 million for settling claims regarding a large-scale data breach. The breach exposed the personal information of about 25 million US users. The New York Times mentioned the latest hack on Thursday, September 15, 2022.
How to Protect Against Such Attacks?
Since many users are using Uber’s ride-sharing and food delivery applications, cybercriminals get attracted to its databases because of the quality and amount of data they hold. If malicious actors can access sensitive information like login credentials or payment details, they can greatly damage the business prospects of such organizations. Outlined below are some steps organizations and employees can take to protect themselves:
For Organizations And App Developers:
- Secure the code and make it tough to break while keeping it easy to patch and update.
- Encrypt the data and ensure the authentication keys are not easily accessible.
- Be extra vigilant when using third-party libraries. Developers must maintain control over internal repositories and test them before use during acquisition.
- Use authorized APIs, as unauthorized APIs are loosely coded and can unintentionally grant permissions to unauthorized users.
- Use high-level authentication, or ensure that the apps accept strong, alphanumeric passwords which users must renew after a few months.
- Use a multi-factor (a combination of one-time and static password) or biometric authentication (fingerprint or retina scan) for more sensitive apps.
- Put a firewall around your network, which is an effective way to defend your systems from any cyber attack. A firewall will block any brute-force attempts made on your systems or network before they do any damage.
- Use threat modeling, penetration testing, and emulators to test apps. Fix issues through patches or updates when required.
For Customers/ Employees:
- Check the source: Don’t trust a communication blindly; take a moment to think about where it originated.
- Ask Questions: Does the source have the information you expect them to have, like your full name, etc.? You must remember if a bank is messaging, they must have all of your data, and they will always ask security questions to allow you to make crucial changes to your account. Thus, if they don’t have your data, there are chances it is a fake email/call/message, and you should be wary.
- Break the loop: Threat actors use social engineering to create a sense of urgency. They hope their targets will not try and guess what is going on. So, take time to think about these attacks, and you can avoid becoming an easy victim.
- Use a good spam filter: Alter the settings of your email program if it is not marking emails as suspicious or filtering out spam.
- Don’t go too fast: You must be extremely careful when you feel a sense of urgency in the conversation. It is a standard way for cybercriminals to stop their targets from thinking through the issue.
Various services offered by ride-sharing applications like Uber require key information like payment details and the real-time location of the rider. While the information is necessary to facilitate a smooth ride, it risks riders’ information if hackers access it. It is not confirmed if malicious actors accessed customer data in the Uber breach. Yet, it is a wake-up call for organizations and customers who must understand that a cybersecurity posture is as strong as its weakest link – the human factor.