Skip to main content
close search
site logo

Uber details how it got hacked, claims limited damage

While there’s no evidence the rideshare company’s codebase was altered, the attacker did gain access to Slack, vulnerability reports and financial data.

Published Sept. 19, 2022
Matt Kapko's headshot
Senior Reporter
Closeup of an Uber sign on the rear window of a car in the rain.
The Uber logo is displayed on a car on March 22, 2019 in San Francisco. Justin Sullivan via Getty Images

Uber asserts the threat actor behind last week’s cyberattack did not access the company’s production environment, any user accounts or databases it uses to store sensitive information.

The rideshare and food delivery company, in a Monday security update, said it found no evidence its codebase was altered nor was any customer or user data stored by its cloud providers accessed.

The attacker did, however, gain access and exfiltrate Slack messages, data for a tool Uber’s finance team uses to manage invoices, and the company’s dashboard at HackerOne, where it stores vulnerability reports.

“Any bug reports the attacker was able to access have been remediated,” the company said in the update.

Uber, following an initial investigation, said the threat actor compromised a contractor’s account. The company said the attacker likely purchased the individual’s corporate password on the dark web after their personal device was infected with malware, exposing their credentials.

The threat actor initiated a multifactor authentication fatigue attack, wherein they repeatedly tried to log in to the contractor’s Uber account, which prompted two-factor authentication requests. 

The contractor eventually accepted one of those requests, which allowed the threat actor to log in successfully, according to Uber.

Uber pinned the blame for last week’s cyberattack on a threat actor affiliated with Lapsus$, the extortion group responsible for attacks this year on Cisco, Nvidia, Microsoft, Okta, Samsung and, reportedly, Rockstar Games over the weekend.

Uber said it’s closely coordinating recovery and response efforts with the FBI and Department of Justice. The company also pledged to strengthen its cyber policies, practices and technology to improve its defenses.

Uber’s services were not impacted by the attack and remain operational. The company has not yet responded to requests for comment.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including Google Workspace and Slack,” the company said in the update. 

The threat actor posted a message on a companywide Slack channel and reconfigured Uber’s OpenDNS to “display a graphic image to employees on some internal sites,” the company said.

Uber did not explain how the threat actor accessed other employee accounts after the contractor’s account was compromised.

The company said it took multiple protective measures in response to the attack:

  • Compromised or potentially compromised accounts were identified and blocked or required password resets to regain access.
  • Many internal tools were disabled.
  • Access parameters were reset on many of Uber’s internal services via key rotations.
  • The company’s codebase was locked down, preventing any new code changes.
  • When Uber restored access to internal tools it required employees to reauthenticate credentials.

Recommended Reading

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.