Everything You Should Know About the Social Engineering Attack at Uber
A hacker claiming to be 18 years old breached ride-sharing company Uber last week and claimed to have access to a wide range of systems within the organization’s network. According to a New York Times report, a security researcher who communicated with the hacker called the incident a “total compromise” that gave the attacker “full access” to Uber.
The hacker, who appeared to have been motivated by Uber’s treatment of its drivers, also breached the company’s internal Slack channel and posted a message to employees about the attack. Full details about the breach aren’t available yet, as the company said it’s still investigating the scope of the incident.
However, this isn’t the first time Uber has been compromised. In 2016, a massive data breach that exposed sensitive data affected 57 million customers and drivers. The company admitted to covering up the breach when they were legally required to report it to the Federal Trade Commission. Uber’s former Chief of Security, Joe Sullivan, is currently on federal trial for obstruction of justice due to not disclosing the breach. His attorneys, however, have argued that he provided all the information to Uber’s legal team and that team was responsible for the disclosure to regulators.
What information is at risk?
Uber stated it has no evidence that any sensitive user data was compromised. However, the hacker reportedly gained access to a wide range of critical systems and resources, including:
- Uber source code
- Cloud repositories such as Amazon Web Services (AWS) and Google Cloud Platform (GPC)
It may be interesting to note that in the 2016 Uber breach, hackers also accessed a private source code repository. They used the code and a proprietary access key to steal user and driver data.
Want to learn more about using Dashlane Password Manager at home or at work?
Check out our personal password manager plans or get started with a free business trial.
How did the hacker do it?
The individual told the New York Times they used social engineering: a common phishing method that preys on human nature by manipulating individuals to share private and privileged information. The hacker contacted an employee through WhatsApp, claiming to be from Uber IT, and convinced the person to log in to a fake Uber webpage. This allowed the hacker to harvest the employee’s password and then trick the employee into authenticating access with the company’s multifactor authentication (MFA) app.
Tricking employees to divulge credentials is a common tactic for cyberattackers. “These types of social engineering attacks to gain a foothold within tech companies have been increasing,” Rachel Tobac, ethical hacker and chief executive of SocialProof Security, told the New York Times. She also noted that malicious actors now use kits that make it much easier to launch social engineering attacks.
Read Dashlane’s blog to learn Rachel Tobac’s tips for preventing cyberattacks.
Am I affected if I have an Uber account?
As mentioned earlier, Uber’s official statement said the company has no evidence that the incident involved sensitive data such as rider trip history. However, the investigation is still unfolding, so you should watch for updates.
Additionally, it’s a good idea to change your password and update any accounts that share the same credentials after any breach. Consider using a personal password manager such as Dashlane, which can help you easily create strong, unique, random passwords for each account. With the Dashlane personal password manager, you also don’t have to worry about memorizing any of your passwords except the one you use for the password manager app.
I have a business and am worried about my customers’ and employees’ data. What should I do?
Unfortunately, you don’t have to be a large or well-known company to be at risk of a hack similar to Uber’s. Whether you have a handful of employees or hundreds, you need to implement foundational cybersecurity defenses, starting with controls that help you protect your employees.
Most often, threat actors target people rather than technology. That’s why it’s important to start by using a business password manager and following these guidelines:
- Create a culture of security that makes employees active participants in protecting your company from cyber threats
- Continuously educate your employees about common phishing scams and social engineering attacks
- Use best practices for password management, such as generating strong passwords and sharing them securely with a password manager for businesses
Dashlane has created a free tool to help businesses learn if they’ve been breached. Use the Business Breach Report to receive a vulnerability report.
Breaches and hacks can happen to any person or business. When they occur, it's not uncommon for people across the business to feel somewhat responsible. In fact, in our recent research, we found that both employees and IT admins want tools like a password manager to secure their company.
Our thoughts are with the Uber team, especially the unsung heroes in IT, as they reconcile the incident. We hope they can make a full recovery, come back stronger, and avoid cybersecurity incidents in the future.
Correction: September 23, 2022.
Since the publication of this post, Uber has confirmed the media account of how the attacker gained access. According to the company’s statement, the contractor’s corporate Uber credentials were exposed because the person’s personal device was infected with malware, and those credentials were sold on the dark web. Uber also said that after logging in, the attacker was able to hack into other employee accounts to elevate access to the various tools.