Data Breach: Uber Hacked by 18 year old allegedly-Uber hack 2022

Data Breach: Uber Hacked by 18 year old allegedly-Uber hack 2022

Uber acknowledged reports of a widespread cybersecurity compromise on September 15th.

An attacker gained access to the account of an Uber EXT contractor. After the contractor’s device had been infected with malware, revealing those credentials, the attacker likely bought the contractor’s Uber corporate password on the dark web. The attacker then made numerous attempts to access the Uber account of the contractor. Each time, the contractor got a request for two-factor login approval, which at first prevented access. The attacker eventually convinced the contractor to accept one after social engineering him into believing he was from the Uber IT department and that he was required to do so to stop receiving notifications for other permission requests on his phone. The hacker was able to log in successfully as a result.

From there, the attacker gained access to several more employee accounts, granting him or her elevated access to numerous tools, including G-Suite and Slack. The attacker then modified Uber’s OpenDNS to show a graphic image to employees on some internal websites and uploaded a message to a company-wide Slack channel, which many of you saw.


How did the Attacker get entry? Briefly stated: 

  1. The attack began with a social engineering campaign against Uber staff members, which led to access to a VPN and, ultimately, to Uber’s internal network *
  2. Once inside the network, the hacker discovered a few PowerShell scripts, one of which had the domain admin account’s login information for Thycotic, Uber’s Privileged Access Management (PAM) solution, hard coded.
  3. AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories were among the services and internal tools the attacker was able to access and control using admin access.

Hardcoded credentials in a PowerShell script were a major weakness that gave the attacker such extensive access. These login credentials granted administrator access to Thycotic, a PAM system. Because it holds both end-user credentials for employee access to internal services and third-party apps as well as DevOps secrets used in the context of software development, this tool carries a great deal of privilege and is therefore a single point of failure. The worst-case scenario is this. With admin access, you can grant yourself or retrieve secrets from all connected systems. The PAM system manages access to several systems. The attacker now appears to have full access to all of Uber’s internal systems as a result.

 What impact has this breach got on the company?

Investigations have focused on assessing whether there was any material impact after the attacker gained access to various internal systems. The investigation is still ongoing, but the most recent findings are as follows: “First and foremost, we haven’t seen any evidence that the attacker gained access to any of the production (i.e. public-facing) systems that power our apps, any user accounts, or the databases we use to store sensitive user data, such as credit card numbers, user bank account information, or trip history. To provide an additional layer of security, we also encrypt personal health data and credit card information.

We examined our codebase and discovered no alterations from the attacker. Additionally, we have not discovered that the attacker gained access to any user or customer data kept by our cloud service providers (e.g. AWS S3). It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.

The attacker gained access to our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. HackerOne is vulnerability coordination and bug bounty platform that links companies looking to learn about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts. Any bug reports that the attacker had access to, nevertheless, have been fixed.

All of our openly accessible Uber, Uber Eats, and Uber Freight services continued to operate without interruption. Customer service operations were only slightly hampered by the removal of several internal tools, and are now back to normal.”

 Who’s responsible for this breach?

The organization claims that they think the attacker (or attackers) are connected to the Lapsus$ hacking organization, which has become more active over the past year or two. This gang often targets IT businesses using similar methods, and in 2022 alone, it managed to hack Microsoft, Cisco, Samsung, Nvidia, and Okta, among others.

The alleged attacker (Teapot) informed The Post that they broke into Uber for fun and were thinking about disclosing the company’s source code, according to reports. He claimed to be 18 years old to the NYT.