Uber Confirms Cybersecurity Incident After 18 Year Old Claimed To Be Behind Massive Breach

The New York Times reports that the hacker used a common social engineering technique to access Uber’s systems. He sent a text message to one of the ride-hailing giant’s employees claiming to be a corporate IT person. The worker was persuaded to hand over their password, granting the perpetrator access to Uber’s network. The hacker provided screenshots of Uber’s internal systems to the NYT as proof of his successful attack. He told the publication that he is 18 years old and had been working on his cybersecurity skills for several years, adding that Uber’s weak security prompted him to compromise its network. Once he had access, the hacker sent a Slack message to employees that read: “I announce I am a hacker and Uber has suffered a data breach.” It listed several compromised databases and appeared to call for Uber drivers to receive higher pay. Uber took its internal Slack and engineering systems offline earlier today as it investigated the breach. In an official statement, Uber wrote: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” Besides his age, little is known about the hacker, though it’s speculated that he is British; an employee said he used the word “wankers,” and he may go by the username ’teapots2022.’ He also accessed Uber’s HackerOne vulnerability bug bounty account and left comments on several report tickets. According to Acronis’ CISO Kevin Reed, the hacker accessed production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. It’s still unclear how he bypassed the 2FA after stealing the Uber employee’s password, and we still don’t know if customer information has been accessed. The breach is being compared to the 2016 incident in which the names, email addresses, and phone numbers of 50 million Uber customers, along with the personal details of 7 million drivers, were stolen. Uber paid the hackers responsible $100,000 to delete the data and stop the incident from becoming public knowledge, and it concealed the breach for over a year. The company had to pay a $148 million settlement for the hack and its failure to disclose what happened.