Uber said that a hacker associated with the Lapsus$ hacking group was to blame for a breach of its internal systems last week, while reiterating that no customer or user data was compromised during the attack.
The hack, which was discovered last Thursday, forced the company to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform.
It occurred a few days before video game maker Rockstar Games was also breached by a hacker who claims to be the same person who attacked Uber. Dozens of videos of the company’s unreleased Grand Theft Auto VI were leaked online. In its security update, Uber references the Rockstar Games hack but does not confirm it was the same attacker.
The company says it is in close contact with the FBI and US Justice Department as the investigation continues.
Uber confirmed that the hacker downloaded some internal Slack messages as well as information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing those downloads,” the company said in a statement.
Lapsus$ is a hacking group known for waging a ransomware attack against the Brazilian Ministry of Health in December 2021, compromising the COVID-19 vaccination data of millions within the country. It’s also targeted a number of high-profile companies, stealing data from Nvidia, Samsung, Microsoft, and Vodafone. London police arrested several members of the group earlier this year, all of whom were teenagers.
In its update on the breach, Uber confirmed new details about the hack. The company said the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s personal device had been infected with malware, exposing those credentials.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
(Previously, the alleged hacker claimed to have received a password allowing access to Uber’s systems from an employee of the company, whom he tricked by posing as a corporate IT official — a technique known as social engineering.)
The hacker then accessed several other Uber employee accounts, gradually gaining more permissions to a number of internal company tools, including G Suite and Slack. The attacker then posted a message to a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” the company said.
The hacker ultimately announced themselves to Uber’s employees by posting a message on the company’s internal Slack system. “I announce I am a hacker and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The alleged hacker then listed confidential company information they said they’d accessed and posted a hashtag saying that Uber underpays its drivers.
Uber said it responded by forcing employees and contractors who had their accounts compromised to change their passwords and restricting them from certain internal systems until they had done so. It also rotated keys — effectively resetting access — to many of Uber’s internal services. And it locked down its own codebase, preventing any new code changes — though it claims to have not detected any changes as of yet.
Uber also claims that sensitive customer data, including identifying personal information and financial data, is secure.
First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.
Uber says the hacker accessed the company’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. “However, any bug reports the attacker was able to access have been remediated,” the company says.
In addition to law enforcement, Uber says it’s also working with “several leading digital forensics firms” as part of its ongoing investigation.
“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks,” the company said.