Uber confirmed rumors that it had suffered a data breach on Thursday, September 15, 2022, after a hacker posted a message to an internal company Slack channel. At first, employees thought it was a joke, and a screenshot of the message leaked online led to some confusion. After the New York Times posted about it, Uber temporarily closed off access to some internal services, including Slack, on Thursday.
On Friday, Uber posted a vague update stating the company is currently responding to a cybersecurity incident and working with law enforcement. It soon followed up saying “internal software tools that we took down as a precaution yesterday are coming back online.” Uber also sent another update later on Friday that claimed the company didn’t find any evidence the attacker accessed “sensitive user data (like trip history).”
While user trip history might not have been compromised, the threat actor — who claims to be a sole, 18-year-old hacker — has released screenshots to prove they penetrated highly sensitive internal systems.
Huge Parts of Uber Compromised with One Phishing Attack
The threat actor, known as teapots2022, posted about their exploits on Telegram, detailing how they gained access to Uber’s internal software. Apparently, they sent one Uber employee numerous multifactor authentication login notifications for over an hour. They then contacted the same employee via WhatsApp, pretending to be an IT person and said the notifications would stop if they approved the login request.
This type of attack is usually called “MFA fatigue”, and relies on wearing the victim out by spamming them with authentication requests. After a while, they approve the request to try to stop the barrage. This works with push notifications rather than the OTP authentication system. As more companies and systems have started using this login authentication method, MFA fatigue has similarly gained more traction among cybercriminals.
As independent security researcher Bill Demirkapi explains about the incident in a twitter thread, people are often under the misconception that MFA protects against social engineering. “Although MFA can protect against an attacker who only has the victim’s credentials, it is commonly still vulnerable to MiTM attacks,” he says.
In Uber’s case, the hacker likely used a Man-in-The-Middle (MiTM) attack to set up a fake domain that relays Uber’s real login page. From there, they could relay the authentication request which is set to provide access to their own device instead of the victim’s.
Uber’s Entire System May Have Been Compromised
After the cyber attacker gained access to the Uber employee’s accounts, they apparently managed to access shared resources that include scripts for Microsoft’s automation and management program PowerShell. Among these was a script with hard-coded credentials for an administrator account of the access management system Thycotic.
Apparently, the threat actor was able to use the Thycotic admin account to gain access to Uber’s cloud infrastructure, which includes its Google workplace data, Amazon Web Services, Duo authentication, VMware’s vSphere dashboard, and OneLogin account. They posted screenshots of their infiltration of some of these systems, including their AWS instance, which was shared on Twitter.
According to researchers who did an independent analysis of the breach, logs of Uber’s stolen data were put up for sale on September 12 and 14. That means the threat actor gained access to Uber’s systems at least as early as last week Monday. Given that teapot2022 only revealed their access to employees on Slack on Thursday, it’s likely that the threat actor had been snooping around Uber’s internal infrastructure for at least 5 days.
Interestingly, the analysis also revealed that at least 2 Uber employees (from Indonesia and Brazil) have been infected by malware. This means teapot2022 may have succeeded in targeting more than one Uber employee in phishing attacks.
Uber Still Investigating the Full Extent of the Attack
Uber hasn’t released any additional information about the attack or its investigation. That means we might not know the actual scope and far reaching consequences of the breach just yet. It’s also possible that, while Uber has assured user trip history wasn’t compromised, other sensitive user information may have been leaked.
Since Uber stores a lot of personal data, including people’s login credentials, credit card information, and activity logs, high-level breaches are potentially disastrous for Uber users. Uber drivers may be in the crossfire as well if their employee, payment, or trip information is compromised.
This hack comes at a time when the company is still dealing with fallout from being hacked in 2016. Back then, attackers made away with the personal information of about 57 million customers and drivers. Uber’s former chief security officer, Joseph Sullivan, is still on trial for allegedly trying to pay hackers $100,000 USD to cover up the breach.
To be on the safe side, Uber users should change the passwords on their Uber accounts. When choosing a new one, make sure to avoid these common (terrible) passwords. We also have a guide on how to create an impenetrable password in 11 simple steps. Want to improve your online security even further — including against MiTM attacks? Get CyberGhost VPN to secure your connection with our robust 256-bit AES encryption.