September 16 was a regular day in Slack for Uber staff. Team members were chatting about their schedules for the week and the latest updates on their projects. Ideally, a couple of channels were filled with the usual banter and idle conversation, while others were quiet—waiting for someone to break the silence.
Safe to say, nothing seemed out of place. Not even a new user who had joined the company's channel. This user used the name 'Nwave' without a profile picture, biography, or job description. But no one thought much of this—none of the staff had a reason to. Workers modify profiles all the time.
Then, something else happened. The newcomer announced they had hacked into Uber's data. According to screenshots
A deluge of emojis followed the announcement—satirical sirens, laid-back popcorns, mocking faces, and lighthearted alarms. The message's brazenness, to the staff, looked like a TikTok prank. They thought it was a joke and made GIFs to meme the situation. Some even started interacting with the hacker.
At that point, no one knew the extent of the hack and that an 18-year-old intruder who had been learning cybersecurity used Uber as a practice ground. More significantly, the staff didn't know such news would make its way to the front pages of the
First off, how did the Uber breach happen? Let's begin by dissecting the announcement.
I am a hacker, and Uber has suffered a data breach...'
A hacker has advanced knowledge of computer systems and networks and can use that knowledge to break into or 'hack' into other people's systems. There are three types of hackers:
-
Black Hat: A black hat hacker uses their skills, maliciously, to gain access to, or otherwise, disrupt computer systems and networks. They usually do so without permission and often to cause harm, such as stealing information or money.
-
White Hat: A white hat hacker uses their skills for good by finding security flaws in systems, and reporting their fixing before actual harm is caused.
-
Grey Hat: A grey hat hacker performs hacking activities but may not have malicious motives behind their actions. Instead, they might be interested in learning about how things work or playing around with new technology for fun.
In an article published by
There was nowhere the hijacker was named. All we know about him is that they're a teenager (18 years old) who claimed to have just learned some cybersecurity skills. But
A data breach or leak is a security incident in which unauthorized access to data occurs. The accessed data may be confidential, private, or public. An
Stats narrowed down. A
...Slack has been stolen, confidential data, along with secrets from sneakers…'
Slack is a popular communication tool for organizations, often called 'the corporate Facebook.' It's a great way to keep everyone in your company in the loop on projects as it helps teams share documents and files.
Due to its multiple collaboration features and integration benefits, Slack boasts
Despite its benefits, Slack isn't immune to cyber threats. Its user growth ensures it's often an infiltration target by hackers. If hijackers are not targeting the platform as a whole, they're looking into individual companies on the platform to breach.
In 2015,
In all of these breaches, companies lost several data pieces worth hundreds of dollars. It's the same for Uber. The hacker mentioned stealing Uber's Atlassian Confluence, stored data called stash, and two mono-repos (a single repository with many projects) from the cross-platform software, Phabricator. They further shared they had ready-to-spill secrets from sneakers and posted screenshots to back them up.
Uber,
uberunderpaisdrives
Easily the most profound statement in the announcement is the hashtag #uberunderpaysdrivers, wrongly spelled as #uberunderpaisdrives. It's not unusual for hackers to use their skills to cause social or economic change, or make a political statement. But does this qualify the action of this intruder as white-hat, black-hat, or grey-hat?
On the surface, Uber could be underpaying drivers. In 2017, the ride-hailing company
Thus, labeling the intruder seems hurried. The extent of damage is unknown as investigations continue. Whether this hacker had access to sensitive customer data and what they planned to do with it remains unclear. Whereas the person(s) have presented themselves to the New York Times and even
The meat: How the hacker got in
According to a series of tweets from
Social engineering uses human interaction and manipulation to gain access to computer systems. Social engineers use deception, influence, and persuasion to trick people into giving up confidential information, performing actions, or installing software that compromises security. They often pose as members of the target organization or company, or they may pose as someone else entirely (for example, a law enforcement officer).
PurpleSec reports that over 98% of cyberattack relies on social engineering to show the severity of this form of attack.
MFA fatigue refers to users getting bored with multi-factor authentication (MFA) and choosing not to comply with it eventually. It happens for several reasons, but the most common one is that users find MFA too inconvenient or annoying. In Uber's case, it happened this way:
- The hacker used several social engineering techniques to compromise an Uber employee's (probably employees’) account.
- The attacker sent repeated notifications about the need for MFA from their account. This led to MFA fatigue in the employee, who ultimately gave up compliance.
- The attacker then sent a WhatsApp message pretending to be a member of Uber IT, asking for login approval. The employee complied and gave them access to their Slack account.
- From Slack, the attacker proceeded to access network resources, targeting PowerShell scripts.
- One of the scripts contained hard-coded credentials for an administrator account, which allowed the attacker to gain access to multiple other systems.
MFA fatigue isn't a new attack vector—it was used against
Cybersecurity lessons from the Uber breach
The breach has prompted many experts to weigh in with their opinions on what companies can do to prevent these types of attacks from happening in the future. Below are preliminary lessons sourced from cybersecurity experts on CyberWire:
#1. Attackers have the edge
Jai Dargan, Chief of Staff at Axio, reminded us again that attacks are inevitable. Even though we don't know who is behind this attack, it's safe to assume they're well-funded and highly motivated. To highlight the impact, the
The hack also gives us a glimpse into how attackers have evolved. Jyoti Bansal, Co-founder and CEO of Traceable AI, said, 'the Uber breach is an example of how attackers have such an edge over defenders, and how their goals have evolved.' Attackers are no longer looking for a quick profit like they did in the past. Now, they're trying to steal data for future use—and that means defenders have to match the approach.
#2. MFA isn't sufficient
Multifactorial authentication (MFA) has been the standard for years. However, it's no longer reliable, given all the ways attackers can bypass it.
Instead, Darryl Athans, Vice President of North America at SENHASEGURA, wants organizations to include privileged access management (PAM) and user and entity behavior analytics (UEBA) in their MFA. The former ensures only authorized users have access to sensitive data. The latter monitors user behavior and detects anomalies to identify potential threats before they become an issue.
#3. Human links are weak
The Uber breach serves as a reminder that humans are some of the weakest links in any security system. A strong password and two-factor authentication aren't enough when someone can call your cell phone company and pose as you. Former NSA Director Admiral, Michael S. Rogers, believes the solution is to increase user security awareness. Here are proposed ways to achieve that:
-
Educate your users about social engineering risks and how to avoid them.
-
Ensure that your employees take time to change their passwords regularly and use a secure password manager to help them do so.
-
Create an awareness campaign about MFA fatigue, including information about what it is, its impact on cybersecurity, and what they can do.
-
Train your employees on recognizing phishing notifications. This will help them catch malicious alerts before they fall for them.
#4. Zero trust is a necessity
Another lesson is the need to eliminate implicit trust by verifying and validating every stage of the security process. Doing this is known as zero trust, and according to
John Dasher, VP of Product Marketing at Banyan Security, believes the solution is to shore up human weaknesses with sound zero trust technology. By adopting a zero trust strategy, using the principle of least privilege access, and employing device trust, you can help take human judgment out of the equation.
What's next for Uber after the breach?
Uber has announced that it's bringing back its internal software tool after taking it down as a precaution following the breach. Services are now operational. In its latest report, it said no sensitive user data was compromised. However, experts believed the breach was deep access.
According to
Updated
The British police have arrested the alleged hacker behind the Uber breach, whose name has been revealed to be Tea Pot (aka teapotuberhacker). The young man is said to be around 17 years old and is not 18 as previously believed.
According to atweet by the City of London Police, he was arrested in Oxfordshire alongside seven other teenagers. The hacker used "Breachbase" and "White" as his online aliases. Reports say that he had made around $14 million from cybercrimes.