Uber suffered a serious breach of its system earlier this month, allowing the bad actor to wreak all sorts of havoc — from spamming the employee Slack chats with explicit imagery to defacing the internal websites and stealing sensitive media. The ride-sharing company has now released an updated statement, putting the blame on the infamous Lapsus$ hacking group.
The attack, and the subsequent announcement, were so brazen that some employees took it as a joke from one of their colleagues and responded to the hacker’s message with light-hearted emojis. The hacker revealed to The New York Times that he was an 18-year-old person. To further rub salt into Uber’s wounds, the cybercriminal told The Washington Post that he breached the company’s systems for fun and might leak the source code in the coming months.
Post where the leaker directly links themselves to Uber hack. I’ve removed all the screenshots of system access (which you may spot a familiarity with from incidents earlier this year). pic.twitter.com/gvmkcsy5OL
— Kevin Beaumont (@GossiTheDog) September 18, 2022
The hacker in question, who goes by the alias “teapotuberhacker,” is also said to be the mastermind behind the massive GTA 6 leak that popped up a few days ago and rocked the entire video game industry. The hacker claims to have stolen sensitive material like game source codes from Rockstar’s systems, but in Uber’s case, the company claims that nothing of such severe magnitude happened.
Interestingly, young hackers appear to have a special kind of affinity for targeting Uber. Back in 2017, a 20-year-old Floridian reportedly stole personal data belonging to 57 million Uber users, but the company sat on the breach and only disclosed it a year later.
Uber says it is currently in touch with the FBI and the U.S. Department of Justice to handle the situation moving ahead. Interestingly, the FBI recently issued a statement asking for public help in order to nab members of the notorious group. The plea came in the wake of high-profile security breaches targeting U.S. tech titans like T-Mobile, Microsoft, and Nvidia, among others.
It is believed that members of the group include a healthy bunch of teenagers, as per experts cited in a report published by The Washington Post. According to a BBC report, a duo of 16-year and 17-year-old were charged following an international investigation chasing cybercrime incidents. Prior to that, London’s police department had arrested seven troublemakers between the ages of 16 and 21 over similar Lapsus$-adjacent cyber crimes.
Per a Bloomberg report, the 16-year-old was reportedly the mastermind of the Lapsus$ group’s activities, and despite living in their mother’s apartment, they managed to amass a fortune worth about $14 million. In the past, the gang has also targeted Samsung, EA, Ubisoft, Vodafone, and Okta, among other recognizable names.
The group garnered widespread international attention after stealing the COVID-19 vaccination records of millions of citizens from the systems of Brazil’s Ministry of Health. Aside from stealing sensitive data, the group has been involved in cyber vandalism and website defacement. Experts told Forbes that the group recently engineered a DNS attack that redirected visitors of the target websites to pornographic sites.
The Uber hacker announced their accomplishment in a rather epic fashion. As per screenshots making rounds of social media, the bad actor posted a message in the employee Slack group claiming, “I am a hacker and uber has suffered a data breach.” The malicious party then proceeded to download Slack messages alongside details of an internal tool that is used to manage invoices.
— Colton (@ColtonSeal) September 16, 2022
Days after the incident was first reported, Uber has now clarified that any sensitive user information such as account details, trip history, bank account numbers, and credit card details wasn’t stolen. Moreover, whatever vulnerabilities and bugs that were gleaned from Uber’s HackerOne dashboard have since been patched. Compromised employee accounts that paved the way for an alleged social engineering hack were either blocked or had their credentials reset.
To ensure that no further harm is done, Uber also locked the platform’s codebase and froze any further submissions, while also kickstarting a passkey rotation policy for its internal systems. Uber says it is currently working with “several leading digital forensics firms” to further investigate the security incident.