The hacker who claims to have hacked Uber might not have landed a stinging punch. The ridesharing firm has provided an update regarding the security breach by confirming there's "no evidence" to suggest that intruders accessed sensitive user data, such as trip histories.
All services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are functioning correctly and have also restored the use of internal software it took down upon unearthing the network breach.
“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company stated. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.”
Uber contacted law enforcement and started an internal investigation into the incident, a company spokesman confirmed. However, the company didn't say more about the reported perpetrator or the nature of the incident, several security experts believe that it is downplaying the incident and has no clear idea regarding the depth of the breach.
Intrusion details
The breach allegedly involved a lone hacker, who claimed to be an 18-years-old male, who employed a social engineering-based hacking technique to trick an Uber employee into revealing login credentials by posing as a coworker.
Upon securing an initial foothold, the hacker discovered an internal network share containing PowerShell scripts with privileged admin credentials, allowing carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack.
Singapore-based Group-IB's follow-up investigation of downloaded artifacts as captured by the hacker reveals complete access to Uber's cloud-based infrastructure to hold private consumer and financial data.
The hacker blamed Uber’s feeble security system for successfully exploiting its databases. He also contacted the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might post online.
Firm’s history of downplaying the data breach
Network breach has been an issue for Uber in the past. In 2018, it agreed to a $148 million settlement over a 2016 data breach the company failed to reveal. Hackers were able to siphon data on 57 million drivers and riders, including private details such as names, email addresses, and driver's license numbers.
The data breach incident remained buried for more than a year. However, in November 2017 multiple reports surfaced that Uber suffered a massive security breach, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement.