The ride-hailing service Uber said Friday that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data. But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective break-in routine involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering credentials. The hacker was then able to locate passwords on the network providing the level of privileged access reserved for system administrators, the AP reports. Uber also had a serious breach in 2016.
The potential damage was serious: Screenshots the hacker shared with security researchers indicate full access to the cloud-based systems where Uber stores sensitive customer and financial data was achieved. It is not known how much data the hacker stole while in Uber's network. Two researchers who communicated directly with the person—who self-identified as an 18-year-old to one of them—said the hacker appeared interested in publicity. There was no indication any data were destroyed. But files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber's most crucial internal systems.
"It was really bad the access he had. It's awful," said Corben Leo, one of the researchers who chatted with the hacker online. The cybersecurity community's reaction was harsh. The hack "wasn't sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures," tweeted Lesley Carhart of Dragos Inc., which specializes in industrial-control systems. Leo said screenshots the hacker shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data, and customer data such as driver's licenses. "If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords," said Leo of the security company Zellic.
(More
Uber stories.)