Was Delicate User Information Stolen & Did 2FA Open Door To Hacker?

September 18 update beneath. This put up was initially revealed on September 15

The New York Periods is reporting that Uber has been hacked. Here’s what we know so significantly about this breaking story.

The journey-hailing and meals shipping enterprise has suffered a techniques breach, according to the report, with staff members unable to obtain inside equipment these as Slack. One employee source webpage is said to have experienced a not secure for do the job picture posted to it by the hacker. A bug bounty hunter and security engineer not involved in the alleged hack has posted a remark that is attributed to an Uber worker, who wished to continue being nameless, which promises they ended up instructed to stop making use of Slack and “anytime I ask for a web-site, I am taken to a webpage with a pornographic graphic” and the concept ‘f*** you wankers.’

One more bug bounty hunter has tweeted a screenshot, allegedly from the hacker, where by they state, “I announce I am a hacker and Uber has experienced a information breach. Slack has been stolen…” with a hashtag of #uberunderpaisdrives

What has Uber explained about the hack?

I reached out to Uber for a remark and was pointed to an official assertion posted to Twitter which reads: “We are currently responding to a cybersecurity incident. We are in contact with regulation enforcement and will article further updates listed here as they turn out to be obtainable.”

I have noticed messages from another person who promises various Uber admin accounts are underneath their manage. A New York Moments reporter says that the hacker tells them he is 18 yrs previous and hacked the Uber methods simply because “they experienced weak security.” He more claims this was accomplished through the social engineering of an Uber worker to acquire login credentials.

September 18 update

Uber nevertheless has not had substantially to say publicly about the incident which seems to have authorized comprehensive accessibility to inner systems. This is not all that stunning as investigations are ongoing. Most approximately all the proof of the hack has arrive from the alleged hacker themselves, in the sort of numerous postings and screenshots. Even so, the Uber and Uber Eats PR crew, putting up via the @Uber_Comms Twitter account and at the Uber Newsroom on the web, have launched a safety update.

This confirms that the investigation and reaction initiatives continue on and states that Uber has “no proof that the incident concerned entry to delicate consumer details (like excursion historical past)” when confirming all Uber services are operational. The update also suggests that inner software resources that ended up originally taken offline are also back in operation.

Which is fantastic news as far as it goes. The trouble is that the extra cynical of visitors may perhaps cite the quite particular language applied as not furnishing actual clarity. Stating ‘no evidence’ is not the exact same as saying it has not happened, mix that with ‘sensitive person data’ that is only defined in the assertion as staying ‘like vacation history’, and there are extra thoughts than solutions listed here. In particular supplied the deficiency of any statement encompassing the extent of the community breach, the techniques accessed, and the amount of access acquired by the hacker. 1 can only hope that these kinds of clarity is delivered in the coming days and months. There hasn’t been any notification in my Uber application on the Apple iphone, so one particular assumes that there will be people who are blissfully unaware that any cybersecurity breach has even happened.

Did MFA fatigue open up the doorway for the Uber hacker?

The place there does surface to be a tiny extra clarity is in the initial attack technique probably employed to pry the Uber system’s front doorway open. The alleged hacker has boasted about how they utilised what is known in the cybersecurity industry as MFA tiredness as a weapon. Multi-Variable Authentication, which most non-technological customers will imagine of as Two-Aspect Authentication (2FA) is a deserving layer in total network defenses. However, the hacker has claimed that Uber was making use of ‘push authentication’ (in which the consumer is requested if it’s them logging in on a unit these types of as their laptop computer or smartphone), and a qualified personnel was spammed with these “for about an hour.” The hacker states the user was then contacted by means of WhatsApp under the guise of being from the Uber IT team and instructed they necessary to take the authentication request in buy to prevent them from continuing. “He recognized and I extra my unit,” the hacker statements.

Abhay Bhargav, CEO at AppSecEngineer, claims that it appears the MFA phishing assault “led to a PowerShell script getting found, with admin credentials to their Thycotic PAM (Privileged Accessibility Management) device. With all credentials currently being element of this PAM remedy, now the total org was compromised for the reason that the PAM experienced access to Amazon Web Companies (AWS), Google Workspace, Slack and far more.”

Uber safety vulnerability reports could have been stolen

Bleeping Personal computer has been in speak to with the alleged hacker and has noticed screenshots exhibiting access to “critical Uber IT devices” that include things like safety software, Amazon Website Providers console, Google Workspace electronic mail admin dashboard and the aforementioned Slack server. It would also appear that the hacker attained accessibility to Uber’s HackerOne vulnerability bug bounty account, leaving responses on a variety of report tickets. This could nevertheless confirm to be a single of the most precious assets from the attacker’s perspective, as it has been claimed that Uber’s vulnerability reviews have been downloaded. Marten Mickos, the HackerOne CEO, has said that the Uber account has been locked down and the company is doing the job with Uber to guide in the investigation.

“This attack has left Uber with a considerable amount of money of info leaked with the probable of which include customer and driver’s personal knowledge,” Jake Moore, international cyber security advisor at ESET, mentioned. “This is seemingly the do the job of a intelligent socially engineered assault. Gaining entry to personal facts inside VPNs requires to be complicated and powering rigorous protections. This leaves Uber with a great deal of inquiries about how significantly details was compromised by way of these an simple technique.”

It is not regarded what, if any, buyer details may well have been accessed at this place in time. This is a acquiring tale, and I will preserve updating it as additional information emerge.