By
Steve Muchoki
February 9th, 2024
The Lapsus$ Hacking Group exploited some of the employee accounts and internal tools of Uber, however, there’s no breach of customers sensitive information so far.
On Monday, September 19, Uber Technologies Inc (NYSE: UBER) stated that the hacker associated with the Lapsus$ hacking group was behind the cyberattack last week that forced the ride-hailing company to shut down internal communications.
The Lapsus$ extortion group is also very popular for breaching other high-profile tech companies in the past. Uber further explained that the Lapsus$ hacker stole the credentials of an Uber EXT contractor in an MFA fatigue attack.
The attacker flooded the contractor with two-factor authentication (2FA) login requests until one got accepted. This gave the hacker access to several employee accounts and other tools like Slack and G-Suite. In its official statement, Uber also noted:
“The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”.
This social engineering tactic has been very popular in exploiting high-tech firms. Similar attacks in the past have targeted well-known companies such as Robinhood, Twitter, Mailchimp, and Okta.
Uber: The Lapsus$ Group Has No Access to Users’ Sensitive Information
Uber said that the hackers couldn’t get access to any sensitive information such as user accounts or the database storing information like credit card numbers, bank accounts, or trip details.
Uber said that it is still conducting an investigation into the matter. The ride-hailing firm added that “the attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact”.
Following the breach, Uber also initiated several corrective measures. It has for now disabled some of the affected internal tools. Besides, Uber also locked its Codebase preventing any further code changes. The company added that it has yet to detect any proof that the attacker injected some malicious code into the database. The company added:
“First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection. We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers”.
Uber said that it has been in close touch with the FBI and the US Department of Justice on the matter.