https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.
html
Uber Investigating Breach of Its Computer Systems
The company said on Thursday that it was looking into the scope of the apparent hack.
By Kate Conger and Kevin Roose
Sept. 15, 2022
Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal
communications and engineering systems offline as it investigated the extent of the hack.
The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent
images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.
“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who
claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”
An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.
Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems
were inaccessible, said two employees, who were not authorized to speak publicly.
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce
I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed
had been compromised.
The hacker compromised a worker’s Slack account and used it to send the message, the Uber spokesman said. It appeared that the
hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for
employees.
The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker
claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the
hacker to gain access to Uber’s systems, a technique known as social engineering.
“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” said Rachel Tobac, chief
executive of SocialProof Security. Ms. Tobac pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break
into the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.
“We are seeing that attackers are getting smart and also documenting what is working,” Ms. Tobac said. “They have kits now that
make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”
The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been
working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak
security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.
The person appeared to have access to Uber source code, email and other internal systems, Mr. Curry said. “It seems like maybe
they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he said.
In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation.
“We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha
Maripuri, Uber’s chief information security officer.
It was not the first time that a hacker had stolen data from Uber. In 2016, hackers stole information from 57 million driver and rider
accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the
breach a secret for more than a year.
Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr.
Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.
Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had
scapegoated Mr. Sullivan.
Kate Conger is a technology reporter in the San Francisco bureau, where she covers the gig economy and social media. More about Kate Conger
Kevin Roose is a technology columnist and the author of “Futureproof: 9 Rules for Humans in the Age of Automation.” More about Kevin Roose
A version of this article appears in print on , Section B, Page 3 of the New York edition with the headline: Uber Opens Investigation Into Breach
