Taxi giant Uber has suffered a major cyberattack in which threat actors accessed many of the company’s critical IT systems, applications, endpoints, and sensitive data.
The attack, which has since been confirmed by Uber, appears to be the work of a threat actor managed to steal login credentials from a company employee.
The New York Times, which broke the news, said it had spoken to the alleged hacker, who claimed to have breached Uber after performing a social engineering attack on an employee and stealing passwords.
Stealing vulnerability reports
"We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available," Uber confirmed via its support Twitter account.
It's not known if any viruses or malware were used, but using the stolen credentials, the attackers were able to gain access to a treasure trove of sensitive data, including internal systems, email dashboard, Slack server, security software, Windows domain, Amazon Web Services console, VMware ESXi virtual machines, and the Google Workspace email admin dashboard.
While all of this data is valuable, the attackers may have hit the jackpot with vulnerability reports.
A source told BleepingComputer the threat actor “downloaded all vulnerability reports” before losing access to Uber’s bug bounty program. In other words, the hackers obtained all of the information regarding bugs and flaws that Uber might be having/fixing at the moment.
Uber runs a bug bounty program via HackerOne, allowing security researchers to share their findings on Uber’s software bugs and vulnerabilities, in private, and get paid for it. This program has since been disabled by HackerOne, but it might just be a little too late.
This is not the first time Uber has faced a major data incident. Earlier in 2022, the company admitted to covering up a major data breach that took place in 2016. That data breach resulted in user data making its way online, and with a couple of executives trying to cover the whole thing up.
Uber’s confession came as part of a settlement that saw it avoid criminal prosecution from the U.S. Department of Justice.
- Check out the best firewalls right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.