Getty Images/iStockphoto

Uber responds to possible breach following hacker taunts

Security researchers spotted suspicious activity on Uber's HackerOne page when the alleged hacker posted messages claiming they had compromised the ride-share company's network.

Uber is responding to a data breach after a hacker claimed to have compromised major parts of the company's network.

Uber's communications' account tweeted Thursday night that it was responding to a cybersecurity incident and that it was in contact with law enforcement. The apparent breach first came to light shortly before, when security researchers noticed that Uber's HackerOne account had been compromised. The account posted messages on bug submission tickets that multiple systems of Uber had been hacked.

HackerOne CISO Chris Evans tweeted late Thursday night that his company was communicating with Uber and has "locked their data down, and will continue to assist with their investigation."

At press time, the messages had been removed from Uber's HackerOne page, which currently says the account "has been disabled."

The alleged hacker told The New York Times that he was 18 years old and had gained access by phishing an Uber employee over text message, claiming to be a corporate IT employee. The employee then supposedly gave up account credentials. The New York Times said the hacker provided screenshots of internal Uber systems and told the paper he hacked Uber because the company had weak security.

Researcher and Yuga Labs security engineer Sam Curry tweeted that the hacker had shared screenshots showing full admin access to Uber Amazon Web Services and Google Cloud Platform accounts.

Corben Leo,  head of business development at Zellic, published a Twitter thread showing screenshots featuring an apparent Telegram chat between the hacker and another party. According to the Telegram chat, which Leo said was emailed through Uber's compromised HackerOne account, the hacker used the Uber employee's credentials to log into an Uber VPN and scan the ride-share giant's intranet. After gaining access, he allegedly discovered PowerShell scripts that contained the credentials for an account for privileged access management vendor Thycotic. These credentials, he said, led to access on additional platforms like AWS.

In continued taunts of the ride-share company, the hacker posted additional screenshots on Telegram of data and resources allegedly belonging to Uber, but TechTarget Editorial could not verify those posts.

Uber's last high-profile security incident was in 2016, when threat actors breached the company using stolen GitHub credentials. The fallout from that hack involved Uber executives allegedly attempting to cover up the data breach as a bug bounty. Former Uber CEO Travis Kalanick eventually stepped down, and former Uber CSO Joe Sullivan was charged in 2020 with obstruction of justice and misprision of a felony. Sullivan's trial began earlier this month.

The scope of the latest Uber breach is unclear. In an email to TechTarget Editorial, Uber did not confirm that a breach had occurred. The company instead linked to Thursday's Uber Comms tweet.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy