Uber hack shows security is tech industry’s Achilles’ heel
- Companies that have access to the best talent and tools are vulnerable to repeated security breaches
A security breach of Uber Technologies Inc. temporarily hobbled the ride-hailing company’s internal communications in one of the starkest illustrations of how tech companies with access to the best talent and tools are vulnerable to repeated compromise.
Uber on Friday morning said it was continuing to investigate the incident, which began Thursday and prompted the company to take the preventive measure of suspending employee access to internal systems including Slack, Zoom and Gmail. Access to those systems was being restored as of Friday morning, the company said, adding that it had notified law enforcement and that it had no evidence that the incident involved access to “sensitive user data" such as riders’ trip histories.
The attacker appeared to gain significant access to Uber’s internal systems, according to security researchers who communicated with the hacker. The anonymous hacker popped up on the company’s internal Slack channel on Thursday announcing: “I am a hacker and uber has suffered a data breach," according to a screenshot viewed by The Wall Street Journal. The hacker also took over an account, used by the company to communicate with security researchers, according to people who saw posts from the hacker.
The hacker’s declarations were posted on HackerOne, an online service provider that helps companies manage their interactions with cybersecurity researchers. Uber is a HackerOne client. The declarations were posted using Uber’s login, and the posts seem designed to taunt Uber—more “chest thumping" than anything else, said Corben Leo, a researcher with the cybersecurity services company Zellic, who interacted with the hacker.
In a post by Uber’s HackerOne account, the hacker boasted about compromising Uber’s Amazon Web Services account, its Google cloud services and its VMware information-technology software too, and invited readers to connect with them through the Telegram messaging app, Mr. Leo said. “UBER HAS BEEN HACKED," the post read. “AND THIS HACKERONE ACCOUNT HAS BEEN ALSO."
Uber hasn’t explained how the hacker gained access to its systems, but according to the hacker’s explanation to some researchers, the company failed to secure the keys to its security kingdom. According to Mr. Leo, the hacker told him that he or she tricked an Uber employee into providing access to the company’s virtual private network and that while there, the hacker was able to gain access to software known as a privileged access management server, used to protect the company’s most-sensitive login credentials.
The self-described hacker reiterated the claim of responsibility in an exchange with the Journal on the Telegram messaging app Thursday evening but didn’t answer further questions.
The attack came a day before Uber Chief Executive Officer Dara Khosrowshahi took the stand in a criminal case relating to a 2016 data breach at the company, and marked the latest of many hacks that have compromised technology companies by leveraging sometimes simple avenues of attack such as getting low-level employees to provide their login credentials.
While tech companies are known for hiring the best and brightest technical minds, often that expertise is trained on building new products rather than protecting them.
“The pressure on the technical side—especially tech companies—to build fast and ship is tremendous," said Nils Puhlmann, formerly a security executive at tech companies including Twilio Inc. and Zynga Inc. “So any additional step is just a nuisance or just in the way."
The Uber episode comes weeks after a whistleblower complaint became public from Twitter Inc.’s former head of security that alleged “extreme, egregious deficiencies" in a range of areas including privacy and digital security. The former executive, Peiter Zatko, told senators earlier this week that Twitter executives’ incentives led them to give priority to profits over security.
Twitter has denied the allegations and said Mr. Zatko is making misleading statements.
Mr. Zatko had been hired by Twitter after it suffered the worst hack in its history just over two years ago. In that attack, a Florida teenager convinced a Twitter employee that he was a co-worker, according to U.S. prosecutors. He was able to bypass Twitter’s security systems and gain access to a host of Twitter accounts, including those of Barack Obama, Elon Musk and Kanye West.
The teen and three others were charged in connection with the attack. The teenager, who was 17 at the time of the breach, pleaded guilty to hacking charges last year.
Okta Inc., a provider of digital identity verification, said it suffered a security breach in January that affected as many as 366 customers—about 2.5% of its clients. The hackers who claimed responsibility for the attack gained access to the company from a laptop of an engineer employed by a subcontractor, Okta said.
Signal, a platform that is widely viewed as one of the most secure messaging services, said about a month ago that a phishing attack had affected about 1,900 of its users, potentially revealing their phone numbers. The company said the hacker accessed the information through Twilio, a company that provides phone number verification services for Signal.
For Uber, the incident is the company’s third major hack since 2014, and it comes after the company reached a settlement with the Federal Trade Commission in 2018 to implement a comprehensive privacy program, conduct independent assessments of it and submit them to the FTC for the next 20 years.
In a statement, the Federal Bureau of Investigation said Friday that it was assisting Uber with its most recent cyber incident.
Mr. Khosrowshahi, the Uber CEO, on Friday morning testified in the trial of a former Uber executive who is facing criminal obstruction charges related to his role in paying the hackers of the 2016 breach a sum of $100,000.
Mr. Khosrowshahi was questioned over the actions he took in response to learning about the breach that led to millions of riders’ names, emails and phone numbers and about 600,000 driver’s license numbers being accessed. In all, it is estimated that 57 million records were downloaded. The company publicly disclosed the breach about a year after it happened.
In court on Friday, Mr. Khosrowshahi wasn’t asked about the more recent hack but said, “Security issues are serious."
He added, “Real people could be affected."
