Uber is investigating a breach serious enough to have gifted a hacker full access to the company's internal systems.
As The New York Times(Opens in a new window) reports, an 18-year-old hacker has claimed responsibility for the hack, provided proof in the form of internal Uber systems screenshots, and explained how he used a social engineering technique to pull it off.
The hacker claims to have sent a text message to an Uber worker purporting to be a corporate information technology person. The worker fell for the ruse and gave the hacker a password which was then used to access Uber's systems. It seems the password allowed access to the employee's Slack account, and then the hacker proceeded to infiltrate other internal systems from there.
Sam Curry, a security engineer at Yuga Labs, spoke with the hacker and concluded, "They pretty much have full access to Uber ... This is a total compromise, from what it looks like."
By "total compromise," Curry means the hacker gained access to Uber's source code and just about every internal system the company operates including emails. Once access had been gained to multiple systems, the hacker sent a Slack message to Uber employees stating, "I announce I am a hacker and Uber has suffered a data breach," along with a list of internal database he had access to. An explicit photo was also posted on an internal information page.
An internal email sent by Latha Maripuri, Uber’s chief information security officer, and seen by The New York Times said, "We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us."
Slack released a statement to Reuters(Opens in a new window) explaining there is no evidence of a vulnerability in
Read more on pcmag.com