Uber investigating wide-reaching security breach
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Rebecca Zisser/Axios
Uber is currently responding to what could be one of the worst breaches in the company's history — all because of a few text messages.
Why it matters: The hacker who has claimed responsibility for the ongoing Uber breach is believed to have access to the company's source code, email and other internal systems — leaving employee, contractor and customer data at risk.
- The breach also comes as Uber's former security chief stands trial for charges related to his handling of a 2016 data breach affecting 57 million Uber riders and drivers.
Details: A hacker first gained access to Uber's systems on Thursday after sending a text message to an employee claiming to be an IT person and asking for their login credentials, according to the New York Times, which first reported the breach.
- The hacker then compromised the employee's Slack account and sent a public message informing the rest of the company of the breach, per screenshots shared on Twitter.
- From there, the hacker — who claims to be 18 years old — appears to have used those credentials to gain access to other internal systems, including Uber's cloud services on Amazon Web Services and Google Cloud.
- Sam Curry, a security engineer at Yuga Labs, said in a tweet that the hacker appears to have compromised an Uber employee's HackerOne account — where ethical hackers report security vulnerabilities in a company's platform — and is "commenting on all of the tickets." HackerOne CEO Mårten Mickos said his company has since "locked their data down."
What they're saying: Uber said in a tweet late Thursday that it is "currently responding to a cybersecurity incident" and that the company has contacted law enforcement.
The big picture: Uber is just the latest company to fall prey to a sophisticated phishing attack targeting employees.
- A hack at Twilio last month affected the data of 125 customers and started after some employees shared their credentials with hackers during "a sophisticated social engineering attack" (an attack that uses relatable social skills to trick people into thinking the message is legitimate).
Between the lines: Text-based phishing campaigns targeting company employees' login credentials are only expected to get worse before they get better, experts tell Axios.
- For incident responders and company IT teams, managing threats to an employee's phone is nearly impossible since most people use their phones for both personal and work purposes.
- Targeting employees through phone-based phishing campaigns suggests hackers have found a good way to breach large organizations with layered and sophisticated cybersecurity practices, says Sam Rubin, vice president of North American security consulting at Palo Alto Networks.
What's next: Uber is still investigating the scope of the breach, so expect more details about what data was accessed, how the hacker gained access, and Uber's plans to toughen internal security in the coming weeks and months.
Go deeper: Anatomy of a text message phishing scam
