Uber hack update: Lapsus$, hiring spree, and 2FA


Uber confirmed the threat actor behind the recent breach accessed several internal systems, including Slack messaging and an internal tool used to manage some invoices.

Uber believes the attacker is affiliated with the Lapsus$ group, infamous for targeting Microsoft, Cisco, Samsung, Nvidia, Okta, and, just recently, Rockstar Games. Multiple videos of the upcoming Grand Theft Auto 6 video game have been leaked online. The leaked video showed various game features, such as character movement, conversations, and other bits of gameplay of the yet unreleased video game.

“We’re working with several leading digital forensics firms as part of the investigation. We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks,” Uber said in a blog post.

Lately, many security experts have noticed Uber is on a hiring spree, looking for security engineers across the US.

The company said that the attacker compromised an Uber EXT contractor. The hacker most likely purchased the password on the dark web. Even though the account was protected by two-factor authentication, the hacker sent multiple requests, and the contractor accepted one, which was enough for the attacker to log in successfully.

“From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” Uber said.

The company identified compromised or potentially compromised employee accounts and either blocked their access to Uber or required a password reset. It also disabled many (potentially) affected internal services and locked down their codebase.

Uber assesses that the attacker did not access the production systems, user accounts, or databases used to store sensitive user information (credit card data, bank account information, or trip history.)

There’s been no change to Uber’s codebase and no evidence of the attacker accessing any customer or user data stored by the company’s cloud providers.

Uber confirmed the malicious hacker downloaded some internal Slack messages and accessed an internal tool used to manage invoices and Uber’s dashboard on HackerOne.

“However, any bug reports the attacker was able to access have been remediated,” Uber said.