Uber, a taxi company, has experienced a major cyberattack in which threat actors accessed many of the company''s critical IT systems, applications, endpoints (opens in a new tab) and sensitive data.
The attack, which has since been confirmed by Uber, appears to be the work of a threat actor who managed to steal login credentials from a company employee.
The New York Times, which broke the news, said it had spoken with the alleged hacker who claimed to have breached Uber following a social engineering attack on an employee and stealing passwords.
Stealing vulnerability reports
"We are currently in contact with law enforcement and will post additional updates here as they become available," Uber tweeted on its support Twitter account (opens in a new tab).
The attackers were able to gain access to a vast array of sensitive information, including internal systems, email dashboard, Slack server, security software, Windows domain, Amazon Web Services console, VMware ESXi virtual machines, and the Google Workspace email admin dashboard.
Although all of this information is invaluable, the attackers may have hit the jackpot with vulnerabilities reports.
Before losing access to Uber''s bug bounty program, a source told BleepingComputer that the threat actor downloaded all vulnerability reports. In other words, the hackers obtained all of Uber''s information about bugs and bugs that Uber might be having/fixing at the moment.
Uber has implemented a bug bounty program via HackerOne, which allows security researchers to disclose their information on Uber''s software bugs and vulnerabilities in a private and pay for it. HackerOne has since been removed, but it might just be too late.
This is not the first time Uber has encountered a major data incident in 2022. Earlier in 2022, the company admitted to covering up a major data breach that took place in 2016. This data breach resulted in user information becoming available on the internet, and a couple of executives are attempting to cover the whole thing.
Ubers confession a part of a settlement that reassured the public that the company would not pursue criminal prosecutions.