Uber app being used on a smartphone
Enlarge / The Uber ride-sharing app is seen on a mobile phone.

On Thursday, employees of the ride-sharing company discovered that their internal network had been accessed by someone. The news outlet which broke the story said that the person who sent the screen shots to The New York Times and security researchers claimed to be 18 years old and was very forthcoming about how it happened and how far it went.

It didn't take long for independent researchers, including Bill, to confirm The New York Times coverage.

The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far 👉 1/N

— Bill Demirkapi (@BillDemirkapi) September 16, 2022

The employee was tricked into approving a push notification by the hacker after he obtained the employee's password. Administrative credentials were found that gave access to some of the resources of the company. The internal network of the company was shut down while it investigated the extent of the incident.

It is not known what data the hacker had access to or what actions the hacker took. It is possible that private addresses and the hourly comings and goings of hundreds of millions of people could be accessed by anyone.

So far, here is what we know.

How did the hacker get in?

According to the New York Times, a hacker socially engineered an employee of the ride-sharing company after finding the employee's phone number. The person who sent the messages instructed the employee to log in to a fake site, which quickly grabbed the credentials and used them to log in to the real site.

Advertisement

The app that prompted the employee to push a button on their phone when logging in was called "MFA". The hacker entered the credentials into the real site multiple times. The employee pushed the button. The attacker was inside.

The attacker found a powershell script that was used to automate the process of logging in to sensitive networks. The credentials were contained in the script.

What happened next?

The attacker is said to have sent company-wide text messages.

One message said that he was a hacker and that the company had suffered a data breach. Evidence was provided that the individual had access to assets.

It's not clear what other data the hacker had access to or if the hacker copied or shared it with the world at large. There is no evidence that the incident involved access to sensitive user data.

What do we know about the hacker?

It wasn't much. The person claims to be 18 years old and is upset with the way drivers are paid. The fact that the intrusion took no steps to hide the fact that it was a breach suggests that it isn't motivated by money. The identity of the person is not known.

What is Uber doing now?

The company is looking into the matter.