This story has been updated and a fresh statement from Uber.
Uber announced yesterday that it had taken a lot of its internal communications channels and engineering systems offline after an anonymous individual gained usage of scores of secure data that purportedly includes emails, cloud storage, and coding repositories. The still unknown person claiming responsibility has since provided screenshots of these are proof to both THE BRAND NEW York Times and a security engineer at Yuga Labs. The screenshots revealed they gained their stunningly comprehensive and potentially devastating entry into Ubers inner workings using among the simplest, oldest tricks in the book: To put it simply, they duped an Uber employee into providing them with their password.
The more official term found in the cybersecurity world is social engineering, which LSUs IT Security and Policy Office defines as whenever bad actors use human interaction (social skills) to acquire or compromise information regarding a business or its personal computers. In cases like this, The NY Times reports, the average person sent a text to an Uber employee claiming to be an IT officer, and could persuade them into handing over their password.
From there, they gained entry into Ubers systems and took over a workers Slack profile to create the (admirably) straightforward update: I announce I’m a hacker and Uber has suffered a data breach.Then they continued to argue that Uber drivers should receive higher pay. The NY Times also notes the hacker gained usage of a lot more systems from there, and went as far as to create an explicit photo on an interior employee information page.
Even though public often associates hacks with complex cyberattacks utilizing inscrutable programming languages, a large proportion boil right down to these not at all hard social engineering and phishing scams. One report indicates only three percent of most malware tries to exploit technical issues, as the remaining 97 percent are simply just social engineering ploys. In 2020, similar strategies were utilized by teens to successfully gain access to Twitters servers, with others employing social engineering while attacking Microsoft earlier this season.
Its unclear where this latest social engineering saga will end, although one security expert talking to The NY Times surmises, It looks like maybe theyre this kid who experienced Uber and doesnt know very well what related to it, and is getting the time of his life. Earlier today, Uber posted an update to Twitter informing people that there doesnt look like any compromise to users sensitive data, such as for example trip information and routes. Additionally, the business states that the inner software removed yesterday is slowly returning online today. Regardless, its a good reminder to doublecheck the identity of this next random text you obtain from your own boss or IT coworker.