Could this be true? “I hereby announce that I am a hacker and that Uber has a data breach.” Employees at ride-hailing service provider Uber, based in San Francisco, California, who read the message in Slack, their communications software, believed it was a hoax. They joked around with the author via Slack. At that time, the security department was already on red alert. The administrators warned that Slack should no longer be used, and finally they switched it off.
It was of course too late by then. When the Slack message was sent to the entire workforce, the hacker already had access to what security experts like to call “the crown jewels”, i.e. the most important internal information. Security researchers and the New York Times he had screenshots of emails, data stored in the cloud, and code repositories sent, i.e. systems on which the source code of software is stored and managed.
Of the Times the attacker said he was 18 years old and had been hacking for a number of years. However, it does not appear to have been particularly difficult to penetrate Uber’s internal systems. The attacker wrote a text message to an Uber employee posing as an internal IT worker. He convinced him to give him a password that would grant him access to Uber’s internal network.
A kind of lottery prize was waiting for him there: on a network drive he found a file with passwords for many other Uber systems, including the servers that the company rented from cloud provider Amazon and the control center for security software. “They have access to pretty much everything,” says security expert Sam Curry from the security company Yuga Labs. “As it stands, everything is compromised.”
Uber has since admitted the incident is reluctant to go into details, however. A security incident is currently being investigated and the investigative authorities have been called on. As soon as there is anything new, it will be announced. That’s little, but better than 2016, when hackers stole the account data of 57 million drivers and passengers. Uber paid the requested $100,000 but kept the incident a secret for more than a year.
The big question is what happens now. The case is reminiscent of a very similar attack on Twitter, in which a young hacker had practically full access to the short message service and could have done anything. It was, however, a few jokes. The current case could also run smoothly. The hacker asked Uber to pay its drivers more money. That he would have made demands for himself is not mentioned. However, too much is still unclear and the matter could become very, very unpleasant and, above all, expensive for Uber. Just securing the systems again will cost millions.