San-Franciso-headquartered ride-hailing company Uber, with a presence in over 10,000 cities in 72 countries, is now investigating a breach after an 18-year-old hacked into its network and allegedly has access to its source code, The New York Times has reported.
The incident came to light after the alleged hacker reached out to cybersecurity experts and the NYT and sent them images of the company's email, cloud storage, and code repositories as proof of their accomplishment.
How did the hacker gain access?
According to the NYT, the hacker sent a text message to an Uber employee claiming to be a member of the corporate information technology (IT) team and persuaded the employee to share a password to Uber's virtual private network (VPN).
This method of hacking is called "social engineering" and has been used increasingly by technology companies in the past few years. Twitter, Microsoft, and ironically, the identity and access management company, Okta, have faced network breaches after hackers used the method to their benefit.
Once inside the network, the hacker found PowerShell scripts on the company's network, which contained access management credentials. The username and password of one admin user were sufficient to grant them access to a slew of services used by the company, the hacker told cybersecurity researcher Corben Leo.
Apparently there was an internal network share that contained powershell scripts...https://t.co/FhszpxxUEW
— Corben Leo (@hacker_) ) September 16, 2022
The hacker then allegedly sent a message on Uber's internal communication tool, Slack, announcing the hack and how data had been stolen. The hacker ended the message with a hashtag that says that the company underpays its drivers. However, employees responded as if it were a joke and posted GIFs and emojis in response.
Honestly kind of a classy way to hack someone 😂😂😂https://t.co/fFUA5xb3wv
— Colton (@ColtonSeal) ) September 16, 2022
Sam Curry, a security engineer at Yuga Labs, is one of the people the hacker has interacted with. Curry thinks that the hack looks like a "total compromise," and the hacker has "pretty much full access to Uber," the NYT reported.
What is Uber's reaction?
Uber has said that it is investigating the alleged breach and is contacting law enforcement officials. It has cut off employee access to Slack and some other internal systems, two employees confirmed to the NYT.
In an internal email sent to its employees, Uber’s chief information security officer, Latha Maripuri, wrote, "We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us," said the NYT.
The teen hacker has reportedly been working on his cybersecurity skills for the past few years and has managed to get in since Uber's cybersecurity measures are weak. This isn't the first time Uber has been hacked.
In 2016, hackers stole data from 57 million driver and rider accounts and demanded a US$100,000 ransom to delete their copy. Uber made the payment and kept the breach under wraps for over a year. Uber's then top security executive, Joe Sullivan, is currently under trial for not disclosing the breach to regulators.