Following reports that the ride-hailing company had been hacked, Uber announced on Thursday that it is investigating a cybersecurity incident.Uber said on Twitter, “We are currently responding to a cybersecurity incident.” “We are in contact with law enforcement and will provide further updates as they become available.”
According to the New York Times, a hacker gained access to Uber’s internal systems after compromising an employee’s Slack account, and the company communicated directly with the attacker. Many tech companies and startups use Slack, a workplace messaging service, for daily communications. According to multiple reports, Uber has now disabled its Slack. On hearing about the hack, Uber’s stock dropped 5% on Friday.
The hacker gained access to other internal databases after compromising Uber’s internal Slack in a so-called social engineering attack, according to the Times. The hacker is said to have written in one Slack message, “I announce I am a hacker and Uber has suffered a data breach.”
According to a separate report from the Washington Post, the alleged attacker told the newspaper that they breached Uber for fun and could leak the company’s source code within months.
Employees initially mistook the attack for a joke, responding to Slack messages from the alleged hacker with emojis and GIFs, according to the Post, citing two people familiar with the situation.
According to screenshots shared on Twitter, the hacker also gained access to Uber’s Amazon Web Services and Google Cloud accounts, as well as internal financial data.
The information could not be independently verified by CNBC. Uber declined to comment further than its Twitter statement.
While it is not yet clear how Uber’s systems were compromised, cybersecurity researchers believe the hacker used social engineering rather than sophisticated hacking techniques. Criminals use people’s trust and inexperience to gain access to corporate accounts and sensitive data.
“This is a pretty low-bar to entry attack,” said Ian McShane, vice president of strategy at Arctic Wolf. “Given the access they claim to have gained, I’m surprised the attacker didn’t try to extort or ransom; it appears they did it ‘for the lulz.'”
“It’s proof once again that the human is often the weakest link in your security defenses,” McShane added.
Sam Curry, a self-described “bug bounty hunter,” claimed to have spoken with the alleged Uber hacker and that the employee targeted was involved in incident response. Curry believes this means the hacker had “elevated access to begin with.” Companies offer bug bounties to hackers in exchange for the discovery of software vulnerabilities.
“From what I understand, the attacker had keys to the kingdom after obtaining an internal file containing credentials to almost everything,” he added. Curry, a security engineer at crypto startup Yuga Labs, claims he communicated with the hacker via Telegram, an instant messaging platform.
The attack comes as Uber’s former security chief, Joe Sullivan, is on trial for a 2016 breach in which the personal information of 57 million users and drivers was stolen. In 2017, the company admitted to concealing the attack and paid $148 million in a settlement with 50 U.S. states and Washington, D.C. the following year.