Uber confirmed on Friday that it was investigating a “cyber security incident” and that it had taken some of its internal communications and engineering systems offline while it was taking place.
The company said it had also contacted law enforcement about the hack.
The hacker allegedly gained access to Uber’s production systems, Slack management interface, endpoint detection and response portal, and cloud services, including the company’s source code and customer data.
Uber employees received a message from the hacker after the breach: “I announce that I am a hacker and that Uber has suffered a data breach.”
The New York Times interviewed the person who claimed responsibility for the hack, who said they are only 18 years old.
The hacker said they were able to gain access to the systems after sending a text message to an Uber employee claiming to be a corporate information engineer.
That employee was eventually persuaded to hand over a password that would allow the hacker to access Uber’s system, they said.
They later added that they spammed the employee with push authentications for over an hour and then contacted them via WhatsApp, claiming to be from Uber IT.
They told the employee that if he wants the messages to stop, he must accept the request. In addition, the man added the hacker’s device, which gave him access.
The apparent hacker told the New York Times they hacked Uber because the company has “weak security”.
He also said that Uber drivers should be paid more.
Yuga Labs security engineer Sam Curry corresponded with the hacker and said they now have “almost complete access to Uber”.
“This is a total compromise, from how it looks,” Curry told the New York Times.
Acronis CISO Kevin Reed said the Uber breach is significant.
“Once on the internal network, the attackers found high privileged credentials on a network file share and used it to access everything including production systems, corp EDR console, Uber slack management interface. This looks bad, “Reed posted on LinkedIn.
“Worse thing is, if you had your data in Uber, chances are so many people would have access to it. Let’s say if they know your email address, they might know where you live.”
Uber posted an update on the breach this weekend.
“While our investigation and response efforts are ongoing, here is a further update from yesterday’s incident: we have no evidence that the incident involved access to sensitive user data (such as travel history); all our services… are operational; internal software tools that we removed yesterday as a precaution are coming back online this morning,” Uber said in a statement.
Uber subscribes to HackerOne, a bug bounty platform that pays hackers to identify bugs in platforms and networks.
“We are in close contact with Uber’s security team, have their data locked down and will continue to assist in their investigation,” HackerOne chief hacker Chris Evans told the BBC.
It’s not the first time Uber’s cybersecurity has been breached.
In 2016, hackers stole the names, email addresses and phone numbers of 50 million Uber users around the world, along with the driver’s license numbers of 7 million drivers in the US. This included the personal information of 1.2 million Australians.
At the moment, Uber ransom paid to the hackers in an effort to cover up the rift, which was not revealed until a year later.
It was only in July of this year that the company official ownership of the data breachwith Uber agreeing to pay $212 million for civil lawsuits related to the incident.
As part of the settlement, Uber said its staff “failed to report the November 2016 data breach”.