It seems Uber has been hacked by an 18-yr-aged. As learned Thursday, the hijacker managed to obtain full admin access to the company’s AWS, Duo, OneLogin, G Suite, VMware vSphere area accounts, and much more. They even bagged Uber’s supply code and have sent out screenshots to verify it.
Not a excellent time for Uber then. But what truly receives me is how folks are meant to have reacted when questioned to stop interacting with the hacker on Slack—if you perform in IT you might require to inquire a friend to keep you back again for this just one.
According to The New York Occasions (opens in new tab), the man or woman dependable for the Uber hack statements to have acquired access only by sending a textual content to an Uber staff pretending to be from the firm’s company IT workforce. The hacker, if we can even get in touch with them that, just persuaded the worker to send out them their login credentials and, boom, entire entry granted.
Yuga Labs engineer Sam Curry posted on Twitter about the event, possessing spoken to the clear hacker, who claims to be just 18 many years aged. They despatched some pretty genuine-seeking screenshots of inside techniques to confirm their quarry.
Curry spoke to some Uber workers as to their knowledge: “At Uber, we obtained an ‘URGENT’ e-mail from IT protection saying to prevent employing Slack,” just one personnel said. “Now whenever I request a website, I am taken to a REDACTED page with a pornographic impression and the information ‘F*** you wankers’.”
Another employee reported that, “As a substitute of doing nearly anything, a fantastic part of the personnel was interacting and mocking the hacker imagining a person was participating in a joke. Immediately after being advised to halt going on slack, people held likely on for the jokes.”
Somebody hacked an Uber workers HackerOne account and is commenting on all of the tickets. They likely have accessibility to all of the Uber HackerOne reviews. pic.twitter.com/00j8V3kcoESeptember 16, 2022
The Slack channel was at last taken offline immediately after a person message examine “I announce I am a hacker and Uber has endured a info breach.” It also went on to checklist a bunch of programs they were boasting to have entry to. What is actually seriously wild is that since there would not appear to be to be any rhyme or motive guiding the attack “it appears like possibly they are this kid who got into Uber and doesn’t know what to do with it, and is having the time of his lifetime,” Curry jokes.
Ars Technica (opens in new tab) reviews that this is just not the very first time Uber has been included in a information breach. Back in 2016 Uber allegedly unsuccessful to report a enormous information breach in which 57 million client and driver names, e-mail and cell phone numbers ended up stolen. The business allegedly failed to report the incident to the Federal Trade Commission, rather opting to pay out the hackers a $100,000 bug bounty so they would delete the knowledge and signal an NDA, and out of shame passing it all off as section of a protection check.
That time, it resulted in 1 of Uber’s major protection execs, Joe Sullivan, getting fired, although his attorneys say he was produced a scapegoat for the downfalls of other workforce (opens in new tab).
The modern attack is now less than investigation with Uber’s formal Twitter account (opens in new tab) stating Thursday, “We are presently responding to a cybersecurity incident. We are in contact with legislation enforcement and will publish added updates in this article as they turn out to be obtainable.”
How persons haven’t figured out that providing your password out is a awful strategy by now, I am going to never know. They phone it social engineering, but attacks like this are so excruciatingly small energy, a title like that is frankly an insult to engineers.
Base line? Be sure to really don’t give your passwords out, even if another person claims to be from IT. That team really should previously have obtain to your account in case you ignore your password.