Uber said it blamed a hacker linked to the Lapsus$ hacking group for breaching its internal systems last week, but reiterated that no customer or user data was compromised during the attack.
The hack, discovered last Thursday, forced the company to take several internal systems offline, including Slack, Amazon Web Services and Google Cloud Platform.
This comes just days before a hacker claiming to be the Uber attacker also breached video game maker Rockstar Games. Dozens of the company’s videos have not been released Grand Theft Auto VI Leaked online. In its security update, Uber referenced the Rockstar Games hack but did not confirm it was the same attacker.
The company said it is in close contact with the FBI and the US Department of Justice as the investigation continues.
Uber confirmed that the hacker downloaded some internal Slack messages as well as information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing those downloads,” the company said in a statement.
Lapsus$ is a hacking group best known for its ransomware attack against the Brazilian Ministry of Health in December 2021, compromising the COVID-19 vaccine data of millions of people in the country. It also targeted several high-profile companies, stealing data from Nvidia, Samsung, Microsoft and Vodafone. London police arrested several members of the group earlier this year, all of them teenagers.
In its update on the breach, Uber confirmed new details about the hack. An attacker purchased an Uber contractor’s corporate password on the dark web and exposed those credentials after the contractor’s personal device was infected with malware, the company said.
“The attacker made repeated attempts to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. However, eventually, the contractor accepted one and the attacker logged in successfully.
(Previously, the alleged hacker claimed to have received a password that allowed him access to Uber’s systems from an employee of the company, who he tricked by posing as a corporate IT official — a practice known as social engineering.)
The hacker accessed several other Uber employee accounts, gradually gaining more permissions to several internal company tools, including G Suite and Slack. Then the attacker Posted a message to a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphic image to employees on certain internal sites,” the company said.
The hacker eventually announced himself to Uber employees by posting a message on the company’s internal Slack system. “I am a hacker and I declare that Uber has suffered a data breach” Screenshots of the message is being circulated on Twitter. The alleged hacker then listed the confidential company information they said they accessed and posted a hashtag saying Uber was underpaying its drivers.
Uber said it responded by forcing employees and contractors whose accounts were compromised to change their passwords and by restricting them from certain internal systems until they did so. It also flipped the keys — effectively resetting access — to many of Uber’s internal services. And it has locked down its own codebase, preventing new code changes — though it says it hasn’t detected any changes so far.
Uber claims that sensitive customer data is secure, including identifying personal information and financial data.
First, we don’t see an attacker accessing the production (ie public-facing) systems that power our apps; any user accounts; or databases we use to store sensitive user information, such as credit card numbers, user bank account information, or trip history. We also encrypt credit card information and personal health data, providing an additional layer of protection.
Uber says the hacker accessed the company’s dashboard on HackerOne, where security researchers report bugs and vulnerabilities. “However, any bug reports that could have been accessed by an attacker have been fixed,” the company said.
In addition to law enforcement, Uber said it is also working with “several leading digital forensics firms” as part of its ongoing investigation.
“We will also take this opportunity to strengthen our policies, practices and technology to further protect Uber from future attacks,” the company said.