The computer network of Uber has been hacked.
The ride-hailing company stated that it was conducting an investigation after several internal communications and engineering systems were compromised.
The New York Times first reported the breach after the hacker sent the newspaper images of the email, cloud storage, and code repositories.
According to the report, two Uber employees were told not to use Slack’s workplace messaging app.
Uber employees received a message that read: “I announce I am a hacker and Uber had suffered a data breach” shortly before the Slack system was taken offline.
The hacker appeared to have later gained access to other internal systems, posting an explicit photo on an internal information page for employees.
Uber stated that it was in contact with authorities regarding the breach.
There is no evidence that the hack affected Uber’s fleet of vehicles, customers, or payment data.
Bugs
Uber contributes to HackerOne, a bug bounty platform based in California. Many large corporations use bug bounty programs, which essentially pay ethical hackers to find bugs.
One of the bug bounty hunters, Sam Curry, communicated with the Uber hacker. “It appears that they’ve compromised a lot of things,” he said.
Mr. Curry spoke with several Uber employees, who said they were “working to lock down everything internally” to prevent the hacker from gaining access.
He stated that there was no evidence that the hacker had caused any harm or was interested in anything other than publicity.
“We’re in close contact with Uber’s security team, have locked down their data, and will continue to assist with their investigation,” said Chris Evans, chief hacking officer for HackerOne.
Who is to blame?
According to the New York Times, the hacker is 18 years old, has been practicing cyber-security for several years, and hacked the Uber systems because “they had weak security.”
The person who announced the breach on Slack also stated that Uber drivers should be paid more.
In cyber-security, “humans are the weakest link,” and this hack demonstrates that an employee who was duped let the criminals in.
Although the saying is correct, it is also extremely cruel.
The complete picture that is emerging here indicates that this hacker was highly skilled and motivated.
As we’ve seen with recent Okta, Microsoft, and Twitter breaches, young hackers with plenty of time on their hands and a devil-may-care attitude can persuade even the most cautious employees to make cyber-security mistakes.
This type of social engineering hacking is as old as computers themselves; just ask infamous former hacker Kevin Mitnick, who was sweet-talking his way around telephone networks in the 1970s.
The difference today is that hackers can combine their gift of gab with highly sophisticated and user-friendly software to make their job even easier.
