Identity, Vulnerability Management

Uber confirms hack in the latest access and identity nightmare for corporate America

A banner with Uber's logo hangs outside the New York Stock Exchange
The Uber banner hangs outside of the New York Stock Exchange. Ride-share company Uber confirmed it was hacked in what appears to be a damaging compromise of internal systems and the company’s accounts for multiple third-party services. (Photo by Spencer Platt/Getty Images)

Ride-share company Uber confirmed it was hacked in what appears to be a damaging compromise that includes both internal systems and the company’s accounts for multiple third-party services.

Last night, the New York Times reported that Uber was investigating a compromise of its internal systems and had to take a number of its communications and engineering systems offline while employees were warned not to use Slack after the hacker was able to gain access to an employee’s work account and began posting messages advertising the hack.

Two hours later, the company confirmed the incident in a Twitter post, while screenshots of internal Uber systems were shared online by security researchers, some of whom claimed to have been in contact with the hacker.

“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” Uber’s communications team wrote.

Later in the day, Uber posted an update claiming that there is currently no evidence that sensitive user data like trip histories were accessed, that internal communication and service tools are coming back online and that services like Uber, UberEats, Uber Freight and Uber Driver are all operational. Cybersecurity experts routinely warn that it is very difficult to assess the full scope of a breach in the immediate aftermath.

The actor also posted screenshots that indicate they have access to Uber’s administrative account on third-party services like HackerOne, a bug bounty platform, as well as their AWS cloud server.

“We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation,” said Chris Evans, CISO for HackerOne.

Corben Leo, a security researcher and chief marketing officer at Zellic, told SC Media that he learned directly from the hacker that the individual phished an Uber employee to gain access to Uber’s corporate VPN. From there, they were able to scan Uber’s internal corporate network, where they found administrative user credentials for Uber’s Thycotic account, a privileged access management system, through a shared network resource.

“Using this they were able to access Uber's AWS environment, GSuite, Duo (can thus bypass 2FA for anything), OneLogin, get Domain Admin, etc.,” Corben said through a Twitter direct message.

Leo told SC Media that beyond that conversation, he has not been in further contact with the hacker.

Screenshot of conversation between security researcher Corben Leo and the alleged Uber hacker. (Source: Corben Leo)

If those reports turn out to be accurate, it will mark yet another instance where access to a single account resulted in the compromise of a multi-billion dollar company. Companies like Twitter, Microsoft and Okta have all been hacked in a similar fashion. Further, the widespread, ubiquitous access that many employees have to internal systems was one of the chief concerns highlighted by Peiter Zatko, former CISO for Twitter, in his whistleblower complaint against the company earlier this year.

While details about the hack are still coming to light, it appears that “a single hard coded password has been used to access [Uber’s] privileged access management  system, giving access to any area of the IT environment that links to it,” said Chris Vaughan, area vice president at Tanium.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.