Uber on Friday confirmed it was investigating a “cyber security incident”, and that it had taken a number of its internal communications and engineering systems offline while this was taking place.
The company said it had also contacted law enforcement officials about the hack.
The hacker is understood to have gained access to Uber’s production systems, Slack management interface, its endpoint detection and response portal and its cloud services, which include the company’s source code and customer data.
Uber employees received a message from the hacker following the breach: “I announce I am a hacker and Uber has suffered a data breach.”
The New York Times interviewed the person who has claimed responsibility for the hack, who said they are just 18 years old.
The hacker said that they were able to gain access to the systems after sending a text message to an Uber worker claiming to be a corporate information tech person.
That worker was eventually persuaded to hand over a password that allowed the hacker to gain access to Uber’s system, they said.
They later added that they spammed the employee with push authentications for over an hour, then contacted them on WhatsApp claiming to be from Uber IT.
They told the employee that if he wants the messages to stop, he must accept the request. In doing this, the man added the hacker’s device, allowing them to gain access.
The apparent hacker told the New York Times they hacked into Uber because the company has “weak security”.
He also reportedly said that Uber drivers should be paid more.
Yuga Labs security engineer Sam Curry corresponded with the hacker and said they now “pretty much have full access to Uber”.
“This is a total compromise, from what it looks like,” Curry told the New York Times.
Acronis CISO Kevin Reed said the Uber breach is significant.
“Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, Uber slack management interface. This looks bad,” Reed posted on LinkedIn.
“What’s worse is if you had your data in Uber, there’s a high chance so many people have access to it. Say, if they know your email, they may then know where you live.”
Uber posted an update on the breach over the weekend.
“While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident: we have no evidence that the incident involved access to sensitive user data (like trip history); all of our services…are operational; internal software tools that we took down as precaution yesterday are coming back online this morning,” Uber said in a statement.
Uber is a subscriber to HackerOne, a bug bounty platform which pays hackers to identify bugs in platforms and networks.
“We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation,” HackerOne chief hacking officer Chris Evans told the BBC.
It’s not the first time that Uber’s cyber security has been breached.
In 2016, hackers stole the names, email addresses and phone numbers of 50 million Uber users around the world, along with the driver’s licence numbers of 7 million drivers in the US. This included the personal information of 1.2 million Australians.
At the time, Uber paid a ransom to the hackers in an attempt to cover up the breach, which was not revealed for another year.
It wasn’t until July this year that the company officially owned up to the data breach, with Uber agreeing to pay a $212 million for civil litigation in relation to the incident.
As part of the settlement, Uber said that its staff “failed to report the November 2016 data breach”.