Uber Confirms Hacker Accessed Internal Tools and Bug Bounty Dashboard

Ride-sharing giant Uber is moving quickly to minimize the impact of a devastating security breach that included the theft of employee credentials, HackerOne bug bounty dashboard access and billing tool data internal.

In a memo on Monday, Uber confirmed that an external contractor had its account compromised by an attacker who used that access to elevate permissions on Google GSuite and Slack communication platforms.

Uber acknowledged the attacker had access to several internal tools, but insisted that public systems that manage credit cards, bank account information or rideshare ride history remain secure.

From Uber’s latest breach update:

“First and foremost, we did not find that the attacker gained access to the production (i.e. publicly available) systems that power our applications; any user accounts; or databases that we use to store sensitive information about users, such as credit card numbers, user’s bank account information, or travel history We also encrypt credit card information and personal data. personal health, providing an additional layer of protection.

We reviewed our code base and did not find that the attacker had made any changes. We also did not discover that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3).”

[ READ: Uber Investigating Data Breach After Hacker Claims Extensive Compromise ]

The company said the attacker managed to download Slack’s internal messages and data from an internal tool used by our finance team to manage certain invoices. “We are currently analyzing these downloads,” Uber said.

More worryingly, Uber said the attacker was able to access its bug bounty dashboard on HackerOne, suggesting the exposure of security vulnerabilities data. “However, all bug reports that the attacker was able to access have been fixed,” the company said.

“Throughout this time, we have been able to keep all of our public Uber, Uber Eats and Uber Freight services up and running. Because we removed some internal tools, customer support operations were minimally impacted and are now back to normal.

[ READ: The Chaos (and Cost) of the Lapsus$ Hacking Carnage ]

Uber said it believed the attacker purchased the contractor’s Uber corporate password from the dark web, after the contractor’s personal device was infected with malware, exposing these credentials.

“The attacker then attempted multiple times to log into the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker logged in successfully.

From there, the attacker gained access to several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack,” Uber explained.

The attacker then posted a message on a company-wide Slack channel, which many of you have seen, and reconfigured Uber’s OpenDNS to display a graphical image to employees on certain internal sites.

The company said it believed the notorious Lapsus$ hacking gang was behind the compromise.

Related: Uber Investigates Data Breach After Hacker Claims Significant Compromise

Related: Twilio and Cloudflare Attacked in Campaign That Affected Over 130 Organizations

Related: Okta Says Customer Data Is Compromised in Twilio Hack

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a seasoned cybersecurity strategist who has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox, and Kaspersky GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s previous career as a security journalist included articles in major technology publications, including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the nonprofit organization Security Tinkerers, an advisor to startup entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:
Key words:

Comments are closed.