Uber dealing with “cybersecurity incident” after hacker appears to breach system

Uber dealing with “cybersecurity incident” after hacker appears to breach system

Uber stated Thursday that it contacted law enforcement after a hacker allegedly breached its network. According to a security engineer, the hacker had shown evidence that he had gained access to the ride-hailing service’s cloud systems.

Uber tweeted Thursday night, saying it was “currently responding” to a cybersecurity incident. We are in touch to law enforcement.

It stated that it would update its Uber Comms Twitter feed. CBS News reached Uber spokesperson who declined to give any details when asked by CBS News.

There was no indication that Uber’s fleet of vehicles was or was being affected.

We are currently responding to a cybersecurity incident. We are currently responding to a cybersecurity incident.

— Uber Comms (@Uber_Comms) September 16, 2022

“It seems like they’ve compromised a lot of stuff,” said Sam Curry, an engineer with Yuga Labs who communicated with the hacker. He said that Uber had gained complete access to cloud environments hosted by Amazon and Google, where it stores its source code.

Curry stated that he spoke with several Uber employees and they said they were working to “lock down everything internally” in order to limit the hacker’s access. He said that this included the company’s internal messaging network Slack.

He stated that there was no evidence that the hacker was attempting to cause damage or is interested in publicity. “It seems that they are trying to get as much attention and damage as possible,” said Curry.

The hacker alerted Curry, along with other security researchers, to the intrusion using an internal Uber account to comment about vulnerabilities they had previously identified on company’s network via its bug-bounty program. This program pays ethical hackers to find vulnerabilities.

The hacker provided a Telegram address. Curry and other researchers engaged him in a separate conversation and shared screenshots from various pages on Uber’s cloud providers to show they had broken in.

The Associated Press tried to reach Curry and the other researchers via Telegram. However, no one replied.

A screenshot taken on Twitter and confirmed as true by researchers shows a conversation with the hacker. They claim they obtained credentials for an administrative user and then used Social Engineering to gain access to Uber’s internal network.

In 2016, a massive cybersecurity breach at Uber saw hackers steal the personal data of 57 million Uber customers and drivers.

As a result, Uber was forced to pay $148 million to settle a lawsuit with all 50 states and the District of Columbia over the breach.

Read More