How an 18-Year-Old Teen Breached Uber Without Hacking a Single System

September 16 was a regular day in Slack for Uber staff. Team members were chatting about their schedules for the week and the latest updates on their projects. Ideally, a couple of channels were filled with the usual banter and idle conversation, while others were quiet—waiting for someone to break the silence.

Safe to say, nothing seemed out of place. Not even a new user who had joined the company's channel. This user used the name 'Nwave' without a profile picture, biography, or job description. But no one thought much of this—none of the staff had a reason to. Workers modify profiles all the time.

Then, something else happened. The newcomer announced they had hacked into Uber's data. According to screenshots posted on social media platforms, the message reads:

A deluge of emojis followed the announcement—satirical sirens, laid-back popcorns, mocking faces, and lighthearted alarms. The message's brazenness, to the staff, looked like a TikTok prank. They thought it was a joke and made GIFs to meme the situation. Some even started interacting with the hacker.

At that point, no one knew the extent of the hack and that an 18-year-old intruder who had been learning cybersecurity used Uber as a practice ground. More significantly, the staff didn't know such news would make its way to the front pages of the New York Times, prompting several security alerts from partners and reactions from the cybersecurity industry.

First off, how did the Uber breach happen? Let's begin by dissecting the announcement.

I am a hacker, and Uber has suffered a data breach...'

A hacker has advanced knowledge of computer systems and networks and can use that knowledge to break into or 'hack' into other people's systems. There are three types of hackers:

• Black Hat: A black hat hacker uses their skills, maliciously, to gain access to, or otherwise, disrupt computer systems and networks. They usually do so without permission and often to cause harm, such as stealing information or money.

• White Hat: A white hat hacker uses their skills for good by finding security flaws in systems, and reporting their fixing before actual harm is caused.

• Grey Hat: A grey hat hacker performs hacking activities but may not have malicious motives behind their actions. Instead, they might be interested in learning about how things work or playing around with new technology for fun.

  
  

In an article published by Infosec Institute, there's a psychological benefit to profiling hackers with an emphasis on security awareness. Still, there's a level to which the profiling can go if we must deflect influence from the hacker to the hacked. In Uber's case, the latter prevailed.

There was nowhere the hijacker was named. All we know about him is that they're a teenager (18 years old) who claimed to have just learned some cybersecurity skills. But Uber says they're affiliated with Lapsus$, a notorious hacking group. Still, are they black-hat, white-hat, or grey-hat? Further details will reveal that. Let's look at the breach.

A data breach or leak is a security incident in which unauthorized access to data occurs. The accessed data may be confidential, private, or public. An IBM report puts the total cost of a data breach in the United States at $4.24 million in 2022.

Stats narrowed down. A Comparitech study points to California as the state suffering the most data breaches in the United States within 15 years. Worryingly, Uber is based in San Francisco, California. Still, we can't judge the breach's impact or conclude about the hacker until we know what was stolen or exposed.

...Slack has been stolen, confidential data, along with secrets from sneakers…'

Slack is a popular communication tool for organizations, often called 'the corporate Facebook.' It's a great way to keep everyone in your company in the loop on projects as it helps teams share documents and files.

Due to its multiple collaboration features and integration benefits, Slack boasts more than 10 million active users. Additionally, 65% of the Fortune 100 pay for the platform, not forgetting the 750,000 organizations, according to DMR.

Despite its benefits, Slack isn't immune to cyber threats. Its user growth ensures it's often an infiltration target by hackers. If hijackers are not targeting the platform as a whole, they're looking into individual companies on the platform to breach.

In 2015, Slack suffered a major cyber attack. The impact led to the adoption of two-factor authentication. Although the company hasn't been comprehensively breached since then, it has served as a backdoor avenue for infiltrating other companies. Social media giant, Twitter, was hacked through Slack in 2020; Video Game Maker, Electronic Arts, in 2021; and now the ride-hailing service, Uber.

In all of these breaches, companies lost several data pieces worth hundreds of dollars. It's the same for Uber.  The hacker mentioned stealing Uber's Atlassian Confluence, stored data called stash, and two mono-repos (a single repository with many projects) from the cross-platform software, Phabricator. They further shared they had ready-to-spill secrets from sneakers and posted screenshots to back them up.

Uber, in its report, confirmed the unauthorized access. It pared down the theft to internal communications and engineering systems, which included the Slack server, AWS console, Google Workspace, VMware virtual machines, corporate email accounts, and most importantly, the company's HackerOne bug bounty program, where researchers discuss critical IT vulnerabilities.

uberunderpaisdrives

Easily the most profound statement in the announcement is the hashtag #uberunderpaysdrivers, wrongly spelled as #uberunderpaisdrives. It's not unusual for hackers to use their skills to cause social or economic change, or make a political statement. But does this qualify the action of this intruder as white-hat, black-hat, or grey-hat?

On the surface, Uber could be underpaying drivers. In 2017, the ride-hailing company admitted to accidentally underpaying riders in New York City for more than two years. However, looking deep into it, hackers are known to hide under social advocacy to gain public sentiments.

Thus, labeling the intruder seems hurried. The extent of damage is unknown as investigations continue. Whether this hacker had access to sensitive customer data and what they planned to do with it remains unclear. Whereas the person(s) have presented themselves to the New York Times and even shared their Telegram channel for white-hat discussion, being part of Lapsus$ is black-hat for a larger scheme.

The meat: How the hacker got in

According to a series of tweets from Corben Leo, CMO Zellic.io, Sam Curry, Security Engineer, Yugalabs, and VX-Underground, the hacker used social engineering plus MFA fatigue.

Social engineering uses human interaction and manipulation to gain access to computer systems. Social engineers use deception, influence, and persuasion to trick people into giving up confidential information, performing actions, or installing software that compromises security. They often pose as members of the target organization or company, or they may pose as someone else entirely (for example, a law enforcement officer).

PurpleSec reports that over 98% of cyberattack relies on social engineering to show the severity of this form of attack.

MFA fatigue refers to users getting bored with multi-factor authentication (MFA) and choosing not to comply with it eventually. It happens for several reasons, but the most common one is that users find MFA too inconvenient or annoying. In Uber's case, it happened this way:

• The hacker used several social engineering techniques to compromise an Uber employee's (probably employees’) account.
• The attacker sent repeated notifications about the need for MFA from their account. This led to MFA fatigue in the employee, who ultimately gave up compliance.
• The attacker then sent a WhatsApp message pretending to be a member of Uber IT, asking for login approval. The employee complied and gave them access to their Slack account.
• From Slack, the attacker proceeded to access network resources, targeting PowerShell scripts.
• One of the scripts contained hard-coded credentials for an administrator account, which allowed the attacker to gain access to multiple other systems.

MFA fatigue isn't a new attack vector—it was used against MailChimp and Twilio in August this year. In fact, Uber suffered a similar fate in 2016, when it lost sensitive data to intruders.

Cybersecurity lessons from the Uber breach

The breach has prompted many experts to weigh in with their opinions on what companies can do to prevent these types of attacks from happening in the future. Below are preliminary lessons sourced from cybersecurity experts on CyberWire:

#1. Attackers have the edge

Jai Dargan, Chief of Staff at Axio, reminded us again that attacks are inevitable. Even though we don't know who is behind this attack, it's safe to assume they're well-funded and highly motivated. To highlight the impact, the World Economic Forum Insight Report placed cyber attacks and data fraud as third in the most worrisome outlook for companies.

The hack also gives us a glimpse into how attackers have evolved. Jyoti Bansal, Co-founder and CEO of Traceable AI, said, 'the Uber breach is an example of how attackers have such an edge over defenders, and how their goals have evolved.' Attackers are no longer looking for a quick profit like they did in the past. Now, they're trying to steal data for future use—and that means defenders have to match the approach.

#2. MFA isn't sufficient

Multifactorial authentication (MFA) has been the standard for years. However, it's no longer reliable, given all the ways attackers can bypass it. CyberArk carried out an analysis and found at least four ways they could circumvent MFA or diminish its benefits. The result points to the fact that MFA, only, isn't sufficient.

Instead, Darryl Athans, Vice President of North America at SENHASEGURA, wants organizations to include privileged access management (PAM) and user and entity behavior analytics (UEBA) in their MFA. The former ensures only authorized users have access to sensitive data. The latter monitors user behavior and detects anomalies to identify potential threats before they become an issue.

#3. Human links are weak

The Uber breach serves as a reminder that humans are some of the weakest links in any security system. A strong password and two-factor authentication aren't enough when someone can call your cell phone company and pose as you. Former NSA Director Admiral, Michael S. Rogers, believes the solution is to increase user security awareness. Here are proposed ways to achieve that:

• Educate your users about social engineering risks and how to avoid them.

• Ensure that your employees take time to change their passwords regularly and use a secure password manager to help them do so.

• Create an awareness campaign about MFA fatigue, including information about what it is, its impact on cybersecurity, and what they can do.

• Train your employees on recognizing phishing notifications. This will help them catch malicious alerts before they fall for them.

  
  

#4. Zero trust is a necessity

Another lesson is the need to eliminate implicit trust by verifying and validating every stage of the security process. Doing this is known as zero trust, and according to a report by IBM, it helps reduce costs. It's often $1.76 million less in zero-trust-adopting companies compared to non-adopting ones.

John Dasher, VP of Product Marketing at Banyan Security, believes the solution is to shore up human weaknesses with sound zero trust technology. By adopting a zero trust strategy, using the principle of least privilege access, and employing device trust, you can help take human judgment out of the equation.

What's next for Uber after the breach?

Uber has announced that it's bringing back its internal software tool after taking it down as a precaution following the breach. Services are now operational. In its latest report, it said no sensitive user data was compromised. However, experts believed the breach was deep access.

According to a study by Comparitech, companies that suffer breaches underperform in the market due to poor brand perception. The breach has already impacted Uber's performance in the market. Checking on Tuesday, (NYSE: UBER) shares traded lower by 0.35% at $31.38 premarket. It remains to be seen how Uber handles this situation—whether or not they can bounce back quickly enough for investors and customers alike.

Updated

The British police have arrested the alleged hacker behind the Uber breach, whose name has been revealed to be Tea Pot (aka teapotuberhacker). The young man is said to be around 17 years old and is not 18 as previously believed.

According to atweet by the City of London Police, he was arrested in Oxfordshire alongside seven other teenagers. The hacker used "Breachbase" and "White" as his online aliases. Reports say that he had made around $14 million from cybercrimes.