Taxi giant Uber has suffered a major cyberattack in which threat actors accessed many of the company’s critical IT systems, applications, endpoints (opens in new tab), and sensitive data.
The attack, which has since been confirmed by Uber, appears to be the work of a threat actor managed to steal login credentials from a company employee.
The New York Times, which broke the news, said it had spoken to the alleged hacker, who claimed to have breached Uber after performing a social engineering attack on an employee and stealing passwords.
Stealing vulnerability reports
“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” Uber confirmed via its support Twitter account (opens in new tab).
It’s not known if any viruses or malware were used, but using the stolen credentials, the attackers were able to gain access to a treasure trove of sensitive data, including internal systems, email dashboard, Slack server, security software, Windows domain, Amazon Web Services console, VMware ESXi virtual machines, and the Google Workspace email admin dashboard.
While all of this data is valuable, the attackers may have hit the jackpot with vulnerability reports.
A source told BleepingComputer the threat actor “downloaded all vulnerability reports” before losing access to Uber’s bug bounty program. In other words, the hackers obtained all of the information regarding bugs and flaws that Uber might be having/fixing at the moment.
Uber runs a bug bounty program via HackerOne, allowing security researchers to share their findings on Uber’s software bugs and vulnerabilities, in private, and get paid for it. This program has since been disabled by HackerOne, but it might just be a little too late.
This is not the first time Uber has faced a major data incident. Earlier in 2022, the company admitted to covering up a major data breach that took place in 2016. That data breach resulted in user data making its way online, and with a couple of executives trying to cover the whole thing up.
Uber’s confession came as part of a settlement that saw it avoid criminal prosecution from the U.S. Department of Justice.
Via: BleepingComputer (opens in new tab)