Skip links

Uber explains how it was pwned this month, points finger at Lapsus$ gang

Uber, four days after suffering a substantial cybersecurity breach, has admitted its attacker accessed “several internal systems” including the corporation’s G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage “some” invoices.

The rideshare and food-delivery app believes someone affiliated with the Lapsus$ gang was behind the intrusion.

In a security update posted Monday, Uber confirmed the intruder accessed its HackerOne bug bounty dashboard. “However, any bug reports the attacker was able to access have been remediated,” it claimed.

Uber also said it believes the person who compromised Rockstar Games and stole confidential data for Grand Theft Auto 6 was the same person who compromised its own network.

It was earlier speculated by an administrator of a cyber-crime forum over the weekend that the person behind the Uber intrusion also stole the GTA 6 source code from Rockstar Games, and that they were involved with Lapsus$.

Since the Uber breach, which happened last Thursday, the app maker has been reticent to provide much (if any) details about what any data was stolen, leaving users scrambling to put the pieces together from security researchers’ tweets and media reports.

It appeared from leaked screenshots that the intruder got into Uber’s AWS account, SentinelOne security dashboard, VMware vSphere control panel, and other critical parts of its IT infrastructure. It was also said that the miscreant got access to private source code repositories, internal documents, and more.

On Friday, the intruder – who reportedly said they are 18 years old – said they broke into Uber for fun, may release some of its source code, and described the company’s security as “awful.”

In today’s security update, Uber said the attacker didn’t make any changes to its codebase, and it hasn’t found any evidence that the miscreant accessed any customer, driver, or other user data, including personal and sensitive information.

The investigation is still ongoing, we’re told, though according to Uber it also doesn’t appear the intruder accessed “the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history.”

Additionally, Uber repeated its statements from Friday that all of its public-facing Uber, Uber Eats, and Uber Freight services remained operational during the incident. That’ll keep the shareholders happy.

Today’s security update also pointed the finger at – try not to roll your eyes here – an external contractor whose login credentials may have been sold on the dark web after the details were siphoned from their “personal device” – PC or phone – via malware.

“The attacker then repeatedly tried to log in to the contractor’s Uber account,” Uber claimed. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

That seems a common tactic used by micreants: bombard a user with multi-factor authentication requests until they assume it’s a glitch and hit yes to make the spam go away, at which point the crook trying to log in gets in.

This also seems to confirm infosec watcher Corben Leo’s claims from last week, when he said he spoke to the miscreant, who told him they gained access to Uber’s VPN after socially engineering an Uber worker.

After initially gaining access, the intruder compromised other employees’ accounts, allowing them to elevate their privileges and access control panels and dashboards. From there, the attacker posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS, according to Uber. That marries up with other accounts of the break-in: the intruder boasted about having hacked Uber in its corporate Slack, and reconfigured the network settings so that opening webpages via the VPN took Uber workers to a page with an X-rated image and abuse on it.

There’s no mention by Uber of the intruder finding on the network a PowerShell containing admin account credentials hardcoded in, as was claimed last week by the miscreant.

In response, the ride-share app said it identified and blocked compromised and potentially compromised employee accounts, disabled affected internal tools, rotated access keys to several cloud services, locked down its codebase, and took steps “further strengthening” its multi-factor authentication policies.

“We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts,” the security update said.

Uber experienced a massive data security breach in 2016 and allegedly tried to cover it up. That fiasco saw personal information on 57 million passengers and drivers leaked.

Uber’s former chief of security Joe Sullivan faces criminal charges for his handling of that breach, and a related US Federal Trade Commission settlement [PDF] requires the company to notify the watchdog about any security snafus involving driver and rider information and provide assurances about how it protects the security and privacy of personal information.

If last week’s security incident shows that Uber’s security and privacy assurances aren’t up to snuff, “that’s a big deal for [CEO Dara Khosrowshahi’s] personal liability,” a source familiar with the situation at Uber told The Register.

The source added that Uber’s latest breach “is a predictable consequence” of its choices as a corporation. “I’m sure they don’t care,” our source said. “These are the same companies willing to let people die in order to build robot cars, rockets, and addictive news feeds. They have outsourced the risk to other people.” ®


The admin of Kiwi Farms, the hate forum website booted off Cloudflare after much brouhaha, has said the site has been compromised and account data, including email addresses and passwords, likely stolen.

Someone was able to upload a file to the site that stole people’s authentication cookies as they used the site.