September 29, 2022

Uber Investigating Breach of Its Computer Systems

The company said on Thursday that it was looking into the scope of the apparent hack.

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.

Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

The hacker compromised a worker’s Slack account and used it to send the message, the Uber spokesman said. It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees.

The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.

“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” said Rachel Tobac, chief executive of SocialProof Security. Ms. Tobac pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break into the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.

“We are seeing that attackers are getting smart and also documenting what is working,” Ms. Tobac said. “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”

The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.

The person appeared to have access to Uber source code, email and other internal systems, Mr. Curry said. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he said.

In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer.

It was not the first time that a hacker had stolen data from Uber. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr. Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.

Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.

What People Read

Yvonne Orji Reflects on the End of ‘Insecure,’ and Tells T a Joke

The comedian looks back on her years working on the career-defining show and demonstrates her trademark wit.

YouTube Opens More Pathways for Creators to Make Money on the Platform

The video platform will let more creators earn payments and place ads in Shorts, its TikTok competitor, according to audio from an internal meeting.

Yankees Close In on Division Title, but Still Have Trust Issues

Frankie Montas, Aroldis Chapman and Aaron Hicks are question marks for a team that is on the verge of clinching a first-round bye.

Yankees Clinch a First-Round Bye as Judge’s Wait Continues

A win over Toronto gave the Yankees the American League East title, but Aaron Judge remained stuck at 60 home runs.

Woman Gets 4 Months After Shoving Flight Attendant, Spitting on a Passenger

Kelly Pichardo, 32, will also have to pay more than $9,000 to American Airlines for the altercation, which came as incidents involving unruly passengers unnerved airline workers and the public.

Just For You

How the Passage of Time Softened the Fury Over Diana’s Death

A quarter-century ago Princess Diana’s shocking death provoked outrage at the royal family. Queen Elizabeth’s passing, in contrast, has been draped in civility and respect.

White House Student Loan Forgiveness Could Cost About $400 Billion

The estimate by the nonpartisan Congressional Budget Office gauged the cost over 30 years, though the bulk of the effects to the economy would be felt over the next decade.

Kushner’s Company Reaches $3.25 Million Settlement in Maryland Lawsuit

The apartment company charged illegal fees and failed to adequately address leaks, mold and rodent infestations in its properties, the Maryland attorney general said.

As Trump’s Legal Woes Mount, So Do Financial Pressures on Him

The lawsuit filed by New York’s attorney general is the latest indication of how an array of investigations is affecting the former president’s business and personal wealth.

N.Y. Attorney General Accuses Trump of ‘Staggering’ Fraud in Lawsuit

Attorney General Letitia James of New York filed a sweeping lawsuit on Wednesday that accused Donald J. Trump, his family business and three of his children of lying to lenders and insurers by fraudulently overvaluing his assets by billions of dollars.

Why Candidates Owe Voters Full Medical Transparency

The principal intent of campaigns is to give voice to the candidates’ positions on major issues. When casting their ballots, voters consider personality, party allegiance, character traits and other factors.

Russians Are Terrified, and Have Nowhere to Turn

In the days since Vladimir Putin announced a “partial mobilization,” clearing the way for hundreds of thousands of men to be conscripted into his failing war effort, we’ve fielded tens of thousands of messages like these.

How Seriously Should We Take Putin’s Nuclear Threat in Ukraine?

Across almost eight decades the possibility of nuclear war has been linked to complex strategic calculations, embedded in command-and-control systems, subject to exhaustive war games.

Recent

How the Passage of Time Softened the Fury Over Diana’s Death

A quarter-century ago Princess Diana’s shocking death provoked outrage at the royal family. Queen Elizabeth’s passing, in contrast, has been draped in civility and respect.

This Might Not Be a Cold War, but It Feels Like One

Even at their worst moments, the Americans and the Soviets kept talking. Today, U.S.-China contacts are scarce, while Beijing and Moscow move closer together.

Apple Extends Reach With $800 Watch, as New iPhone Inches Along

The Apple Watch Ultra is aimed at endurance athletes, a market dominated by Garmin. Apple also introduced updated AirPods.