An Uber hacker who has gained access to a number of the company''s internal systems, including its Slack channels, claims to have full control of the company''s cloud-based servers, according to Amazon Web Services and Google''s GSuite.
Incredibly, the attack appears to have modeled the one back in 2016, which compromised the personal data of 57 million people. This suggests that Uber failed to fix a major security hole, which allows the same attack to take place six years later.
Uber has confirmed that the attack took place, but has not provided further details on its scope. At this point, it is unclear whether any customer data has been compromised.
Uber security breach
According to Uber''s two-sentence statement, the company is entitled to one vote:
As new information becomes available, we are currently working on a cybersecurity issue. We are in touch with law enforcement and will post additional updates here.
Uber has reported that its internal systems have been taken offline to avoid further intrusions durant its investigation, according to the New York Times.
Employees have not disclosed much more about the company.
An Uber executive wrote to employees in an internal email that the hack was under investigation. We haven''t seen an estimate yet on when full access to tools will be restored, so please thank you for bearing with us. Latha Maripuri, Uber''s chief information security officer, claims the incident.
The hacker made no secret of the attack, revealing in poor English that the attack had been carried out on one of the companies'' Slack channels:
@hereI say i am a hacker and uber has suffered a data breach.Slack has been stolen, confidential data with Confluence, stash, and two monorepos from phabricator have also been stolen, along with secrets from sneakers.#uberunderpaisdrivers [sic]
Messages to NYT and security investigators were also sent, declaring that they were 18 years old, and explaining how they were able to execute the attack.
How the Uber hacker got access
A screenshot from a security researcher reveals that the hacker explained the frighteningly simple way they gained full access.
Follow the link to the last tweet, which says, "Without the exchange."
It appears there was an internal network share that contained powershell scripts.
"One of the powershell scripts included the username and password for an admin user in Thycotic (PAM). Using this i was able to extract secrets for all services, including DA, DUO, Onelogin, AWS, and GSuite," says a pic.twitter.com/FhszpxxUEW.
Corben Leo (@hacker_) September 16, 2022
The hacker added to the NYT''s social engineering component.
The person responsible for the hack told The New York Times that he had sent a text message to an Uber employee who claimed to be a corporate information technology person. The employee was persuaded to give over a password that allowed the user to obtain access to Ubers systems, a technique known as social engineering.
While this is unspecified, another security researcher who chatted with the hacker claims that it does appear convincing.
According to Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. This is a total compromise, from what it looks like.
Scripts with embedded credentials, without necessarily administrative credentials, are a real security failure. So, we would also be ignoring employees'' concern about the importance of never discloseing their passwords.
If it hadn''t happened before, this would be bad enough, but it is.
Same method used in 2016 hack
In 2016, Uber experienced a massive data depreciation, revealing personal data of over 57 million customers and drivers.
The number of 57 million users affected was 50 million among those who traveled to the United States, with the rest 7 million drivers. Those information included names, email addresses, and phone numbers, as well as the license numbers of 600,000 drivers who were suspended during the breach.
In an attempt to keep the situation quiet, the company violated the law by failing to disclose the breach.
According to a Bloomberg report, the breach originally happened in October of 2016, with Uber attempting to conceal it for a year 
Travis Kalanick, the co-founder and former CEO of Uber, was informed of the breach in November 2016. During that time, the company was in the midst of discussing issues with the New York Attorney General and the Federal Trade Commission about the handling of the customer data. Instead of properly discloseing the breach, Uber paid the hackers $100,000 to delete the data and keep quiet.
Unbelieveablely, this attack used the exact same key element to increase access, therefore it appears astonishing that it had still not removed embedded credentials six years later!
Bloomberg explains that the hackers were able to access a private GitHub site hosted by Uber software developers and used login credentials found there to access additional data on an Amazon Web Services account.
Incredibly, whether Uber hacker accessed user data is unknown.
The hacker''s access would include the ability to view customer data, but no reports have been made as yet.
Given that the attacker disclosed their access and shared details with both the media and security researchers, it would seem that no harm was intended. However, the behavior does not appear to be compatible with a black-hat hacker who would access and sell customer information, but this is to the point.
Shah Ram Moghadam Khamseh/Unsplash Photo