This Latest Uber Hack Seems A Lot Like Their 2016 Hack…. Which Is Really, Really, Bad For Uber

Earlier today I posted a story on Uber apparently getting pwned by an 18 year old who wants higher pay for Uber drivers. I’m not going to go down that rabbit hole, but instead I will go down another one. A white hat hacker named Corben Leo appears to have had an exchange with the hacker. And he posted it to Twitter:

So in short:

  • They social-engineered an employee to get their VPN and Slack login
  • Once on Slack, they found a link to a network share
  • The share contained Powershell scripts
  • One of these embedded the username and password of an Uber admin
  • Those credentials gave them access to everything else

The New York Times apparently spoke to the hacker and got similar details. Thus I think that this is legit. The thing is, the way that the hacker got in is incredibly similar to a 2016 incident where Uber was pwned. The hackers got the names, email addresses and phone numbers of 57 million riders. The hackers also nabbed the driver’s license numbers of 600,000 Uber drivers. Which of course is bad. Uber then went out of their way to cover up the fact that they got pwned by paying the hackers $100K to cover this up. And to top it all off, an exec was charged with covering this up. Now in this latest hack, we have a very similar attack profile because this is how the 2016 hack happened according to Bloomberg:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

This latest hack seems to have gone down in a similar manner. That is they got access using employee credentials, and then found enough information to allow them to move laterally inside Uber’s network. That implies that Uber didn’t learn anything from their 2016 hack. Which is why I suspect that a whole lot of people on Capitol Hill and law enforcement will be looking very long and hard at Uber. And seeing that this is an election year in the US, Uber will likely be called onto the carpet to explain why they don’t have their act together when it comes to cybersecurity.

Leave a Reply