Uber has announced a “cyber security incident”, the culprit of which was found to be an 18-year-old hacker infiltrating employees’ Slack network
The threat actor compromised the Slack app, using it to send messages to Uber employees, stating: “I announce I am a hacker and Uber has suffered a data breach”, before listing the databases they had gained access to.
On Monday, the ride-sharing company stated that the hacker was afiliated with the cyber crime group Lapsus$, which has been behind similar attacks on the networks of Microsoft, Cisco and Okta among others.
According to the New York Times, the culprit gained access via social engineering, tricking an Uber staff member into giving them login credentials to access the company’s Slack channel.
The New York Times report goes on to reveal that the hacker provided a Telegram account address, and claims they infiltrated Uber’s social media system because the company had “weak security”.
Bleeping Computer has reached out to the person allegedly responsible, and in the process found screenshots showing access to “critical Uber IT systems”, including Uber’s Slack channel, AWS console, and Google Workspace email admin dashboard.
Following the attack, the Slack system was taken offline on Thursday afternoon.
Uber’s core services appear unaffected, but it’s currently unknown whether customer data has been impacted.
“This latest breach against Uber comes at a time when the company is already facing increased security scrutiny over its handling, and alleged coverup, of a previous incident,” said Julia O’Toole, CEO of MyCena Security Solutions.
“If these claims are true, it sounds like the attacker was very easily able to compromise Uber’s systems using social engineering to guess an employee’s login and password.
“This once again highlights that when users know and make up their own passwords, these can easily be guessed or phished from them, and this gives attackers access to the digital kingdom.”
A lack of security awareness
Social engineering methods such as phishing have proved a common way in which threat actors have successfully gained access to the systems of organisations.
Matt Aldridge, principal solutions consultant, BrightCloud at OpenText Security Solutions, identified two major factors in attacks like this occurring: “the exploitation of poorly trained users”; and “the carelessness to leave privileged credentials on a network share”.
Aldridge continued: “This highlights why it is so critical to provide quality, regular security awareness training to all workers, and to operate regular penetration tests to find any lurking credentials or backdoors for attackers so that these can be locked down.”
Biometrics for retaining consumer trust
To combat social engineering techniques and maintain consumer trust in services, Callsign EMEA general manager Steve O’Malley suggests: “Business leaders need to start pivoting away from outdated protection methods such as OTPs and shift to more innovative technologies.
“For example behavioural biometrics works to identify genuine users through analysing the way they swipe, type or text, without being prone to social engineering – working towards better protecting consumers’ online identity.
“Callsign’s recent Digital Trust Index research has found with the ongoing shift to digital services, 50 per cent of consumers believe that a regulated digital identity system will become part of our daily lives within five years. The onus is now on the public and private sector to partner to put better security strategies in place to make sure they are building trust with consumers and protecting their online identity.”
Related:
Considering digital trust: why zero trust needs a rethink — David Mahdi, chief strategy officer and CISO advisor at Sectigo, discusses the important role of digital trust in the security strategy.
Information security vs cyber security: distinguishing the expertise — David Steele, managing director and principal security consultant at SecuriCentrix, identifies the differences of information security vs cyber security.
