September 20, 2022

Uber has issued a security update on its website stating that investigation is ongoing, and it will continue to provide updates on its response to last week’s security incident. It also stated that the cyberattack was carried out by a hacker linked to the Lapsus$ hacking group, which has previously targeted companies such as Nvidia, Samsung, Microsoft and Okta.

According to Uber, an Uber EXT Contractor account was compromised by the attacker using social engineering tactics, and the attacker most likely get the Uber company password of the contractor on the dark web after infecting the contractor’s personal device with malware and releasing that login credentials.

The attacker then tried to log into the contractor’s Uber account several times, each time receiving a two-factor access request that initially blocked access. However, the contractor eventually accepted one, and the attacker logged in successfully, then accessed several other employee accounts and granted the attacker elevated access to a range of tools, including G Suite and Slack.

Uber also stated that it responded by prioritizing the attackers’ lack of access to its systems, ensuring the security of user data, and investigating the scope and impact of the incident.

Other security measures include identifying compromised employee accounts, disabling affected internal tools, effectively resetting access to internal services, barring its code base, strengthening its MFA multi-factor authentication policies, and increasing surveillance.

Although there is no evidence that the attacker gained access to sensitive user data such as trip history, credit card numbers or bank accounts, the company has notified the FBI and the US Department of Justice about the incident.

The sources for this piece include an article in Uber.