September 16 was a regular day in Slack for Uber staff. Team members were chatting about their schedules for the week and the latest updates on their projects. Ideally, a couple of channels were filled with the usual banter and idle conversation, while others were quiet—waiting for someone to break the silence.
Safe to say, nothing seemed out of place. Not even a new user who had joined the company's channel. This user used the name 'Nwave' without a profile picture, biography, or job description. But no one thought much of this—none of the staff had a reason to. Workers modify profiles all the time.
Then, something else happened. The newcomer announced they had hacked into Uber's data. According to screenshots
First off, how did the Uber breach happen? Let's begin by dissecting the announcement.
I am a hacker, and Uber has suffered a data breach...'
A hacker has advanced knowledge of computer systems and networks and can use that knowledge to break into or 'hack' into other people's systems. There are three types of hackers:
Black Hat: A black hat hacker uses their skills, maliciously, to gain access to, or otherwise, disrupt computer systems and networks. They usually do so without permission and often to cause harm, such as stealing information or money.
White Hat: A white hat hacker uses their skills for good by finding security flaws in systems, and reporting their fixing before actual harm is caused.
Grey Hat: A grey hat hacker performs hacking activities but may not have malicious motives behind their actions. Instead, they might be interested in learning about how things work or playing around with new technology for fun.
In an article published by
There was nowhere the hijacker was named. All we know about him is that they're a teenager (18 years old) who claimed to have just learned some cybersecurity skills. But
A data breach or leak is a security incident in which unauthorized access to data occurs. The accessed data may be confidential, private, or public. An
Stats narrowed down. A
...Slack has been stolen, confidential data, along with secrets from sneakers…'
Slack is a popular communication tool for organizations, often called 'the corporate Facebook.' It's a great way to keep everyone in your company in the loop on projects as it helps teams share documents and files.
Due to its multiple collaboration features and integration benefits, Slack boasts
Despite its benefits, Slack isn't immune to cyber threats. Its user growth ensures it's often an infiltration target by hackers. If hijackers are not targeting the platform as a whole, they're looking into individual companies on the platform to breach.
In all of these breaches, companies lost several data pieces worth hundreds of dollars. It's the same for Uber. The hacker mentioned stealing Uber's Atlassian Confluence, stored data called stash, and two mono-repos (a single repository with many projects) from the cross-platform software, Phabricator. They further shared they had ready-to-spill secrets from sneakers and posted screenshots to back them up.
Easily the most profound statement in the announcement is the hashtag #uberunderpaysdrivers, wrongly spelled as #uberunderpaisdrives. It's not unusual for hackers to use their skills to cause social or economic change, or make a political statement. But does this qualify the action of this intruder as white-hat, black-hat, or grey-hat?
On the surface, Uber could be underpaying drivers. In 2017, the ride-hailing company
Thus, labeling the intruder seems hurried. The extent of damage is unknown as investigations continue. Whether this hacker had access to sensitive customer data and what they planned to do with it remains unclear. Whereas the person(s) have presented themselves to the New York Times and even
Social engineering uses human interaction and manipulation to gain access to computer systems. Social engineers use deception, influence, and persuasion to trick people into giving up confidential information, performing actions, or installing software that compromises security. They often pose as members of the target organization or company, or they may pose as someone else entirely (for example, a law enforcement officer).
PurpleSec states that over 98% of cyberattack relies on social engineering to show the severity of this form of attack.
MFA fatigue refers to users getting bored with multi-factor authentication (MFA) and choosing not to comply with it eventually. It happens for several reasons, but the most common one is that users find MFA too inconvenient or annoying. In Uber's case, it happened this way:
The breach has prompted many experts to weigh in with their opinions on what companies can do to prevent these types of attacks from happening in the future. Below are preliminary lessons sourced from cybersecurity experts on CyberWire:
#1. Attackers have the edge
Jai Dargan, Chief of Staff at Axio, reminded us again that attacks are inevitable. Even though we don't know who is behind this attack, it's safe to assume they're well-funded and highly motivated. To highlight the impact, the
The hack also gives us a glimpse into how attackers have evolved. Jyoti Bansal, Co-founder and CEO of Traceable AI, said, 'the Uber breach is an example of how attackers have such an edge over defenders, and how their goals have evolved.' Attackers are no longer looking for a quick profit like they did in the past. Now, they're trying to steal data for future use—and that means defenders have to match the approach.
#2. MFA isn't sufficient
Multifactorial authentication (MFA) has been the standard for years. However, it's no longer reliable, given all the ways attackers can bypass it.
Instead, Darryl Athans, Vice President of North America at SENHASEGURA, wants organizations to include privileged access management (PAM) and user and entity behavior analytics (UEBA) in their MFA. The former ensures only authorized users have access to sensitive data. The latter monitors user behavior and detects anomalies to identify potential threats before they become an issue.
#3. Human links are weak
The Uber breach serves as a reminder that humans are some of the weakest links in any security system. A strong password and two-factor authentication aren't enough when someone can call your cell phone company and pose as you. John Dasher, VP of Product Marketing at Banyan Security, believes the solution is to increase user security awareness. Here are proposed ways to achieve that:
Educate your users about social engineering risks and how to avoid them.
Ensure that your employees take time to change their passwords regularly and use a secure password manager to help them do so.
Create an awareness campaign about MFA fatigue, including information about what it is, its impact on cybersecurity, and what they can do.
Train your employees on recognizing phishing notifications. This will help them catch malicious alerts before they fall for them.
#4. Zero trust is a necessity
Another lesson is the need to eliminate implicit trust by verifying and validating every stage of the security process. Doing this is known as zero trust, and according to
Former NSA Director Admiral, Michael S. Rogers, suggests using secret management (formerly called data at rest) for effective zero trust. This involves encrypting all data and storing the keys in a secure location. So even if hackers get access to the server where you stored data, they can't decrypt it without getting access to your encryption keys first.
Uber has announced that it's bringing back its internal software tool after taking it down following the breach as a precaution. Services are now operational. In its latest report, it said no sensitive user data was compromised. However, experts believed the breach was deep access.