Hacker claims to have hacked into Uber network, security researcher says

Uber said Thursday it contacted law enforcement after a hacker apparently hacked into its network. A security engineer said the intruder provided evidence that he gained access to crucial systems from the ride-sharing service.

There was no indication that Uber’s fleet of vehicles or its operation had been affected in any way.

“It looks like they’ve compromised a lot of things,” said Sam Curry, a Yuga Labs engineer who contacted the hacker. That includes full access to cloud environments hosted by Amazon and Google where Uber stores its source code and customer data, he said.

Curry said he spoke to several Uber employees who said they were “working to lock everything down internally” to restrict the hacker’s access. This included the San Francisco company’s internal Slack messaging network, he said.

He said there was no indication the hacker caused any damage or was interested in anything other than publicity. “My gut feeling is that it looks like they’re looking to get as much attention as possible.”

The hacker had alerted Curry and other security researchers to the intrusion Thursday night by using an internal Uber account to comment on vulnerabilities they had previously identified on the company’s network through its bug bounty program, which pays ethical hackers to flush out network weaknesses.

The hacker provided a Telegram account address and Curry and other researchers then engaged them in a separate conversation, sharing screenshots of various Uber cloud provider pages to prove they broke in .

The Associated Press attempted to contact the hacker on the Telegram account where Curry and the other researchers chatted with them. But no one answered.

The New York Times reported that the person who claimed responsibility for the hack said they gained access through social engineering: they texted an Uber employee claiming to be a company technology employee and persuaded the employee to hand over a password that gave them access to the network.

The newspaper said the hacker said he was 18 and said he broke in because the company’s security was weak.

A screenshot posted to Twitter and confirmed by researchers shows a conversation with the hacker in which they say they obtained the credentials of an administrative user through social engineering.

Social engineering is a popular hacking strategy because humans tend to be the weakest link in any network. Teenagers used a similar scheme in 2020 to hack Twitter.

Uber said via email that it is “currently responding to a cybersecurity incident. We are in contact with law enforcement.” It said it would provide updates on its Uber Communications Twitter feed.

The company has already been hacked.

His former security chief, Joseph Sullivan, is currently on trial over allegations that he arranged to pay hackers $100,000 to cover up a 2016 high-tech heist in which the personal information of around 57 million customers and drivers were robbed.