Uber has reportedly suffered another massive security incident, likely larger than the 2016 data breach, and potentially putting its entire network at risk. It can also cause access logs to be deleted or modified.
A hacker was believed to have breached several internal systems Thursday with administrative access to Uber’s cloud services, including Amazon Web Services (AWS) and Google Cloud (GCP).
“The attacker claims to have fully compromised Uber and shows screenshots where he is a full administrator on AWS and GCP.” Sam Curry wrote in a tweet. The Yuga Labs security engineer who corresponded with the hacker added, “As it stands, this is a total compromise.”
Uber had since suspended online access to its internal communications and engineering systems while it investigated the breach, according to a New York Times (NYT) report that broke the news. The company’s internal messaging platform, Slack, has also been taken offline.
The hacker, who claimed to be 18, told the NYT he texted an Uber employee and persuaded the employee to reveal a password after claiming to be an employee of the information technology company. The socially engineered hack allowed him to penetrate Uber’s systems, with the hacker describing the company’s security posture as weak.
Using the employee’s password, the hacker managed to break into the internal VPN, Kevin Reed, CISO of Acronis, said in a LinkedIn post. The hacker then gained access to the company network, found highly privileged credentials on network file shares, and used them to access everything, including production systems, the company’s EDR (Endpoint Detection and Response) console, and Uber’s Slack management interface.
However, it’s not known how the hacker managed to bypass two-factor authentication after obtaining the employee’s password, Reed noted.
“This looks bad,” he said, noting that hackers could probably now access any data that Uber had.
When asked if the impact was similar to, or possibly greater than, Uber’s data breach in 2016, Reed told ZDNET the latest breach is certainly large and “as big as it could be.” Any system operated by Uber could have been compromised, he said.
Although it was unclear what data the ridesharing company had stored, he found that the hacker was able to access everything it most likely had, including travel history and addresses.
Given that everything had been compromised, he added that since the hackers had access to logging systems, there was also no way for Uber to confirm whether data had been accessed or modified. This meant they could delete or change access logs, he said.
In the 2016 security breach, hackers infiltrated a private GitHub repository used by Uber software developers and gained access to an AWS account that managed tasks performed by the ridesharing service. It compromised data from 57 million Uber accounts worldwide, giving hackers access to names, email addresses and phone numbers. Around 7 million drivers were also affected, including details of more than 600,000 driver’s licenses.
It later emerged that Uber had kept the breach secret for more than a year, even paying hackers to delete the information and keep details of the breach private. The ride-sharing company reached a settlement in 2018 to pay $148 million for the violation and the cover-up, with the funds split among U.S. states.