September 16 was a regular day in Slack for Uber staff. Team members were chatting about their schedules for the week and the latest updates on their projects. Ideally, a couple of channels were filled with the usual banter and idle conversation, while others were quiet—waiting for someone to break the silence. Safe to say, nothing seemed out of place. Not even a new user who had joined the company's channel. This user used the name 'Nwave' without a profile picture, biography, or job description. But no one thought much of this—none of the staff had a reason to. Workers modify profiles all the time. Then, something else happened. The newcomer announced had hacked into Uber's data. According to screenshots , the message reads: they posted on social media platforms A deluge of emojis followed the announcement—satirical sirens, laid-back popcorns, mocking faces, and lighthearted alarms. The message's brazenness, to the staff, looked like a TikTok prank. They thought it was a joke and made GIFs to meme the situation. Some even started interacting with the hacker. At that point, no one knew the extent of the hack and that an 18-year-old intruder who had been learning cybersecurity used Uber as a practice ground. More significantly, the staff didn't know such news would make its way to the front pages of the , prompting several security alerts from partners and reactions from the cybersecurity industry. New York Times First off, how did the Uber breach happen? Let's begin by dissecting the announcement. ' I am a hacker, and Uber has suffered a data breach... A hacker has advanced knowledge of computer systems and networks and can use that knowledge to break into or 'hack' into other people's systems. There are three types of hackers: : A black hat hacker uses their skills, maliciously, to gain access to, or otherwise, disrupt computer systems and networks. They usually do so without permission and often to cause harm, such as stealing information or money. Black Hat A white hat hacker uses their skills for good by finding security flaws in systems, and reporting their fixing before actual harm is caused. White Hat: A grey hat hacker performs hacking activities but may not have malicious motives behind their actions. Instead, they might be interested in learning about how things work or playing around with new technology for fun. Grey Hat: In an article published by , there's a psychological benefit to profiling hackers with an emphasis on security awareness. Still, there's a level to which the profiling can go if we must deflect influence from the hacker to the hacked. In Uber's case, the latter prevailed. Infosec Institute There was nowhere the hijacker was named. All we know about him is that a teenager (18 years old) who claimed to have just learned some cybersecurity skills. But affiliated with , a notorious hacking group. Still, are they black-hat, white-hat, or grey-hat? Further details will reveal that. Let's look at the breach. they're Uber says they're Lapsus$ A data breach or leak is a security incident in which unauthorized access to data occurs. The accessed data may be confidential, private, or public. An puts the total cost of a data breach in the United States at $4.24 million in 2022. IBM report Stats narrowed down. A points to California as the state suffering the most data breaches in the United States within 15 years. Worryingly, Uber is based in San Francisco, California. Still, we can't judge the breach's impact or conclude about the hacker until we know what was stolen or exposed. Comparitech study ...Slack has been stolen, confidential data, along with secrets from sneakers…' Slack is a popular communication tool for organizations, often called 'the corporate Facebook.' It's a great way to keep everyone in your company in the loop on projects as it helps teams share documents and files. Due to its multiple collaboration features and integration benefits, Slack boasts active users. Additionally, 65% of the Fortune 100 pay for the platform, not forgetting the 750,000 organizations, according to . more than 10 million DMR Despite its benefits, Slack isn't immune to cyber threats. Its user growth ensures it's often an infiltration target by hackers. If hijackers are not targeting the platform as a whole, they're looking into individual companies on the platform to breach. In 2015, a major cyber attack. The impact led to the adoption of two-factor authentication. Although the company hasn't been comprehensively breached since then, it has served as a backdoor avenue for infiltrating other companies. Social media giant, , was hacked through Slack in 2020; Video Game Maker, , in 2021; and now the ride-hailing service, Uber. Slack suffered Twitter Electronic Arts In all of these breaches, companies lost several data pieces worth hundreds of dollars. It's the same for Uber.  The hacker mentioned stealing Uber's Atlassian Confluence, stored data called , and two mono-repos (a single repository with many projects) from the cross-platform software, Phabricator. further shared they had secrets from sneakers and posted screenshots to back them up. stash They ready-to-spill Uber, , confirmed the unauthorized access. It pared down the theft to internal communications and engineering systems, which included the Slack server, AWS console, Google Workspace, VMware virtual machines, corporate email accounts, and most importantly, the company's HackerOne bug bounty program, where researchers discuss critical IT vulnerabilities. in its report uberunderpaisdrives Easily the most profound statement in the announcement is the hashtag , wrongly spelled as #uberunderpaisdrives. It's not unusual for hackers to use their skills to cause social or economic change, or make a political statement. But does this qualify the action of this intruder as white-hat, black-hat, or grey-hat? #uberunderpaysdrivers On the surface, Uber could be underpaying drivers. In 2017, the ride-hailing company riders in New York City for more than two years. However, looking deep into it, hackers are known to hide under social advocacy to gain public sentiments. admitted to accidentally underpaying Thus, labeling the intruder seems hurried. The extent of damage is unknown as investigations continue. Whether this hacker had access to sensitive customer data and what planned to do with it remains unclear. Whereas the person(s) have presented to the New York Times and even for , being part of Lapsus$ is . they themselves shared their Telegram channel white-hat discussion black-hat for a larger scheme The meat: How the hacker got in According to a series of tweets from , CMO Zellic.io, , Security Engineer, Yugalabs, and , the hacker used social engineering plus MFA fatigue. Corben Leo Sam Curry VX-Underground Social engineering uses human interaction and manipulation to gain access to computer systems. Social engineers use deception, influence, and persuasion to trick people into giving up confidential information, performing actions, or installing software that compromises security. They often pose as members of the target organization or company, or they may pose as someone else entirely (for example, a law enforcement officer). that over 98% of cyberattack relies on social engineering to show the severity of this form of attack. PurpleSec reports MFA fatigue refers to users getting bored with multi-factor authentication (MFA) and choosing not to comply with it eventually. It happens for several reasons, but the most common one is that users find MFA too inconvenient or annoying. In Uber's case, it happened this way: The hacker used several social engineering techniques to compromise an Uber employee's (probably employees’) account. The attacker sent about the need for MFA from their account. This led to MFA fatigue in the employee, who ultimately gave up compliance. repeated notifications The attacker then sent a WhatsApp message pretending to be a member of Uber IT, asking for login approval. The employee complied and gave them access to their Slack account. From Slack, the attacker proceeded to access network resources, targeting PowerShell scripts. One of the scripts contained hard-coded credentials for an administrator account, which allowed the attacker to gain access to multiple other systems. MFA fatigue isn't a new attack vector—it was used against and in August this year. In fact, Uber suffered a similar fate in 2016, when it lost sensitive data to intruders. MailChimp Twilio Cybersecurity lessons from the Uber breach The breach has prompted many experts to weigh in with their opinions on what companies can do to prevent these types of attacks from happening in the future. Below are preliminary lessons sourced from cybersecurity experts on CyberWire: #1. Attackers have the edge Jai Dargan, Chief of Staff at Axio, reminded us again that attacks are inevitable. Even though we don't know who is behind this attack, it's safe to assume they're well-funded and highly motivated. To highlight the impact, the placed cyber attacks and data fraud as third in the most worrisome outlook for companies. World Economic Forum Insight Report The hack also gives us a glimpse into how attackers have evolved. Jyoti Bansal, Co-founder and CEO of Traceable AI, said, 'the Uber breach is an example of how attackers have such an edge over defenders, and how their goals have evolved.' Attackers are no longer looking for a quick profit like they did in the past. Now, they're trying to steal data for future use—and that means defenders have to match the approach. #2. MFA isn't sufficient Multifactorial authentication (MFA) has been the standard for years. However, it's no longer reliable, given all the ways attackers can bypass it. and found at least four ways they could circumvent MFA or diminish its benefits. The result points to the fact that MFA, only, isn't sufficient. CyberArk carried out an analysis Instead, Darryl Athans, Vice President of North America at SENHASEGURA, wants organizations to include privileged access management (PAM) and user and entity behavior analytics (UEBA) in their MFA. The former ensures only authorized users have access to sensitive data. The latter monitors user behavior and detects anomalies to identify potential threats before they become an issue. #3. Human links are weak The Uber breach serves as a reminder that humans are some of the weakest links in any security system. A strong password and two-factor authentication aren't enough when someone can call your cell phone company and pose as you. Former NSA Director Admiral, Michael S. Rogers, believes the solution is to increase user security awareness. Here are proposed ways to achieve that: Educate your users about social engineering risks and how to avoid them. Ensure that your employees take time to change their passwords regularly and use a secure password manager to help them do so. Create an awareness campaign about MFA fatigue, including information about what it is, its impact on cybersecurity, and what they can do. Train your employees on recognizing phishing notifications. This will help them catch malicious alerts before they fall for them. #4. Zero trust is a necessity Another lesson is the need to eliminate implicit trust by verifying and validating every stage of the security process. Doing this is known as zero trust, and according to , it helps reduce costs. It's often $1.76 million less in zero-trust-adopting companies compared to non-adopting ones. a report by IBM John Dasher, VP of Product Marketing at Banyan Security, believes the solution is to shore up human weaknesses with sound zero trust technology. By adopting a zero trust strategy, using the principle of least privilege access, and employing device trust, you can help take human judgment out of the equation. What's next for Uber after the breach? Uber has announced that it's bringing back its internal software tool after taking it down as a precaution following the breach. Services are now operational. In its latest report, it said no sensitive user data was compromised. However, experts believed the breach was deep access. According to , companies that suffer breaches underperform in the market due to poor brand perception. The breach has already impacted Uber's performance in the market. Checking on Tuesday, (NYSE: UBER) shares traded lower by 0.35% at $31.38 premarket. It remains to be seen how Uber handles this situation—whether or not they can bounce back quickly enough for investors and customers alike. a study by Comparitech Updated The British police have arrested the alleged hacker behind the Uber breach, whose name has been revealed to be Tea Pot (aka teapotuberhacker). The young man is said to be around 17 years old and is not 18 as previously believed. According to a , he was arrested in Oxfordshire alongside seven other teenagers. The hacker used "Breachbase" and "White" as his online aliases. Reports say that he had made around $14 million from cybercrimes. tweet by the City of London Police

This story contains new, firsthand information uncovered by the writer.

ATLASSIAN

Facebook

Google

Slack

Twilio

Twitter

Uber

Smart Strategy: Investing in Crypto Using Your IRA 

The Blockchain Trilemma: Could Layer 0 Be the Solution for Mass Adoption

Winner, Hackernoon Contributor of the Year - Future Of Finance

First Runner-up, Hackernoon Gaming Guru of the Year

Check Out Portfolio

Book a Call

Hire Me

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

How an 18-Year-Old Teen Breached Uber Without Hacking a Single System

How an 18-Year-Old Teen Breached Uber Without Hacking a Single System

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

6 Major Changes in the VR, AR, and MR Industries According to James Kaplan

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

6 Major Changes in the VR, AR, and MR Industries According to James Kaplan

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps