The ride-hailing service Uber mentioned Friday that each one its companies had been operational following what safety professionals are calling a significant knowledge breach, claiming there was no proof the hacker bought entry to delicate consumer knowledge.
But the breach, apparently by a lone hacker, put the highlight on an more and more efficient break-in routine involving social engineering: The hacker apparently gained entry posing as a colleague, tricking an Uber worker into surrendering their credentials.
They had been then capable of find passwords on the community that bought them the extent of privileged entry reserved for system directors.
The potential harm was severe: Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based methods the place Uber shops delicate buyer and monetary knowledge.
It just isn’t identified how a lot knowledge the hacker stole or how lengthy they had been inside Uber’s community. Two researchers who communicated instantly with the particular person — who self-identified as an 18-year-old to certainly one of them — mentioned they appeared fascinated by publicity. There was no indication they destroyed knowledge.
But recordsdata shared with the researchers and posted broadly on Twitter and different social media indicated the hacker was capable of entry Uber’s most important inner methods.
“It was really bad the access he had. It’s awful,” mentioned Corbin Leo, one of many researchers who chatted with the hacker on-line.
The cybersecurity neighborhood’s on-line response — Uber additionally suffered a severe 2016 breach — was harsh.
The hack “wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which makes a speciality of an industrial-control methods.
Leo mentioned screenshots the hacker shared confirmed the intruder bought entry to methods saved on Amazon and Google cloud-based servers the place Uber retains supply code, monetary knowledge and buyer knowledge corresponding to driver’s licenses.
“If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords,” mentioned Leo, a researcher and head of enterprise growth on the safety firm Zellic.
Screenshots the hacker shared — a lot of which discovered their approach on-line — confirmed delicate monetary knowledge and inner databases accessed. Also broadly circulating on-line: The hacker asserting the breach Thursday on Uber’s inner Slack collaboration system.
Leo, together with Sam Curry, an engineer with Yuga Labs who additionally communicated with the hacker, mentioned there was no indication that the hacker had accomplished any harm or was fascinated by something greater than publicity.
Source: www.bostonherald.com”