Ride the Lightning

Social Engineering Caused Uber Data Breach

September 22, 2022

USA Today reported on September 18 that Uber reported that all its services were operational following what security professionals are calling a major data breach, claiming there was no evidence the hacker got access to sensitive user data.

The breach, apparently by a lone hacker, shone a light on an increasingly effective break-in method involving social engineering: The hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. He was then able to locate passwords on the network that got him the level of privileged access reserved for system administrators.

The potential damage was serious: Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long he was inside Uber’s network. Two researchers who communicated directly with the person, who self-identified as an 18-year-old to one of them, who said he appeared interested only in publicity. There was no indication of data destruction.

However, files shared with the researchers and posted widely on Twitter and other social media indicated the hacker was able to access Uber’s most crucial internal systems.

The hack “wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which specializes in industrial-control systems.

Screenshots the hacker shared showed the intruder got access to systems stored on Amazon and Google cloud-based servers where Uber keeps source code, financial data and customer data such as driver’s licenses.

Other screenshots showed sensitive financial data and internal databases accessed. The hacker announced the breach on Uber’s internal Slack collaboration system.

It appears the hacker did not seek to cause damage – only to get publicity.

As one expert said, “It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame.”

Uber said there was no evidence that the intruder accessed “sensitive user data” such as trip history but did not respond to questions from The Associated Press including about whether data was stored encrypted.

Uber did not recommend any specific actions for its users, such as changing passwords.

How did the hacker get in? He first obtained the password of an Uber employee, likely through phishing. The hacker then bombarded the employee with push notifications asking they confirm a remote log-in to their account. When the employee did not respond, the hacker reached out via WhatsApp, posing as a fellow worker from the IT department and expressing urgency. Ultimately, the employee gave in and confirmed with a mouse click.

We can’t say it often enough – urgent requests like this are a red flag!!!

Rachel Tobac, CEO of SocialProof Security, which specializes in training workers not to fall victim to social engineering, said, “The hard truth is that most orgs in the world could be hacked in the exact way Uber was just hacked,” Tobac tweeted. In an interview, she said “even super tech savvy people fall for social engineering methods every day.”

“Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, a senior threat analyst at SecurityScorecard.

That’s why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. Adoption of such hardware has been spotty among tech companies, however.

The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security. “Much more attention must be paid to protecting clouds from within” because a single master key can typically unlock all their doors.

Some experts questioned how much cybersecurity has improved at Uber since it was hacked in 2016.

Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers $100,000 to cover up that high-tech heist, when the personal information of about 57 million customers and drivers was stolen.

Hmmm. It sure seems as though Uber didn’t learn very much from 2016. If, indeed, the hacker had no intent to harm Uber and only wanted publicity, Uber “skated” through what could have been a massive crisis. And I’ll sure be interested to see the results of Mr. Sullivan’s trial.

Update from SC Media: “The company said it believes a contractor’s corporate password was purchased on the dark web and repeated attempts to log into the contractor’s Uber account were blocked because of two-factor authorization before one was eventually accepted. After successfully logging in, the attacker accessed several other employee accounts and was able to elevate permissions to a number of tools, including G-Suite and Slack.”

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson