When did they get attacked?
On the evening of September 15th, 2022, Uber released a statement on their Twitter account revealing that they had discovered a cybersecurity incident.
Who attacked them?
The hacker claims to be an 18-year-old individual who compromised the system and had virtually gained access to everything in the database.Neither Uber nor law enforcement have commented on the claims of the teenager.
Was any data compromised?
The hacker shared screenshots with a popular Twitter user and claimed that personally identifiable information was compromised and that they had access to Uber’s HackerOne bug bounty program where they were able to copy the system's vulnerability scannings. Additionally, there were screenshots showing that Slack, Google Workspace data, vSphere, and AWS data along with Uber’s financial data had all been accessed. Despite these claims, Uber released a statement on Friday that they didn’t find any evidence that sensitive user data was accessed. They did however take down internal software tools as a precaution (Slack, AWS, GCP) when the breach was first discovered.
How was the environment penetrated?
The alleged hacker revealed to The New York Times that he used a social engineering attack to gain access to an employee’s Slack account. He gained private credentials from an employee by using a multi-factor authentication (MFA) fatigue attack to spam employees into accepting a push authorization link to gain access to the system. He claims that one employee was convinced that they were being contacted by a corporate IT personnel and sent over their password.
Any monetary losses?
There have not been any reports of monetary losses. Uber’s services remained operational after the breach was discovered.
How can such attacks be prevented from reoccuring?
Although Uber has yet to announce any preventative measures that will be put in place after this attack, the breach has brought many security issues to the surface. Employees must be trained to detect MFA fatigue attacks to not fall victim to them and share personal credentials. This can be resolved by including information about social engineering attacks in the Security Awareness Training. More information regarding Security Awareness Training can be found in NIST 800-53 under the control family Awareness and Training (AT). As per AT-2, the training would be a part of the onboarding process for new users but also would be required on a regular frequency thereafter. Uber could add social awareness training to be included in this and administer training to all current employees. AT-3 further explains how the training should be more descriptive and thorough, especially for roles that require a higher level of protection, such as personnel with administrative access.
The City of London Police reported through Twitter that they had arrested a 17-year-old on suspicions of hacking. Some believe the teenager to be the same person that hacked Uber, although this has yet to be confirmed.