Uber’s computer network has been hacked.
The ride-hailing company said it was investigating after several internal communications and engineering systems had been compromised.
The New York Times first reported the breach after the hacker sent images of email, cloud storage and code repositories to the newspaper.
Uber staff were told not use the workplace messaging app Slack, the report said, quoting two employees.
Shortly before the Slack system was taken offline, Uber employees received a message that read: “I announce I am a hacker and Uber has suffered a data breach.”
It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees.
Uber said it was in touch with authorities about the breach.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
The BBC is not responsible for the content of external sites.View original tweet on Twitter
There has been no indication that Uber’s fleet of vehicles, its customers or payment data have been affected by the hack.
Bug bounty hunters
Uber pays a subscription fee to HackerOne, a bug bounty platform based in California. Bug bounty programs are used by a lot of big businesses – essentially they pay ethical hackers to identify bugs.
Sam Curry, one of the bug bounty hunters, communicated with the Uber hacker. “It seems like they’ve compromised a lot of stuff,” he said.
Mr Curry said he spoke to several Uber employees, who said they were “working to lock down everything internally” to restrict the hacker’s access.
He said there was no indication that the hacker had done any damage or was interested in anything more than publicity.
Chris Evans, chief hacking officer for HackerOne, told the BBC: “We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”
Who is responsible?
The BBC has seen messages from someone who claims that various Uber admin accounts are under their control.
The New York Times reports the hacker is 18 years old, has been working on his cyber-security skills for several years and hacked the Uber systems because “they had weak security”.
In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.
The saying goes in cyber-security that “humans are the weakest link”, and once again this hack shows that it was an employee being fooled that let the criminals in.
Although the saying is true, it’s also extremely unkind.
The fuller picture emerging here shows that this hacker was highly skilled and highly motivated.
As we saw with recent breaches of Okta, Microsoft and Twitter, young hackers with plenty of time on their hands and a devil-may-care attitude can persuade even the most careful employees into making cyber-security mistakes.
This form of hacking through social engineering is even older than computers themselves – just ask infamous former hacker Kevin Mitnick, who was sweet-talking his way around telephone networks back in the 70s.
The difference today is that hackers are able to combine the gift of the gab with very sophisticated and easy-to-use software to make their job even easier.