IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Uber hacked via basic smishing attack

The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages

A smishing attack on Thursday led to a wide range of Uber's internal systems being breached by a seemingly unaffiliated teenage hacker, it has been claimed.

A report first emerged in The New York Times that the ride-sharing company had been hacked, with the threat actor themselves getting in touch with the publication to allege that he had gained access to internal systems such as Uber’s internal email, cloud storage systems and code repositories through a simple social engineering attack. In a text message sent to an Uber employee, the hacker impersonated an IT worker and convinced them that it was necessary to share an internal password.

As a variant of phishing in which SMS is used to mine targets for sensitive information, smishing is often combined with social engineering tricks for increased effectiveness. Victims may be more easily persuaded to hand over credentials to a supposedly trustworthy source if the attacker makes the situation seem urgent or seems to be suitably authoritative, both of which may have prompted the hacker to claim to be a key IT worker. Two-factor authentication (2FA) is a recommended measure to dull the impact of smishing attacks, and prevent compromised credentials from being used by hackers effectively.

Smishing and social engineering were recently used in sophisticated attacks on Twilio and Marriott. A report from September 2021 revealed that in the first six months of the year, smishing attacks surged 700% more than in the preceding six months.

The hacker claims to be just 18 years old, with self-taught skills in cyber security, and explained that he performed the breach because Uber’s security was especially weak. On Thursday, Uber confirmed that it was subject to a cyber attack through its official Twitter channel, and also stated that it is in dialogue with law enforcement. The company has not offered an in-depth description of the attack.

As part of the breach, the hacker gained administrator control of Uber’s HackerOne account, which it uses to pay white hat hackers bug bounties. The attacker proceeded to leave comments on all active bounty tickets reading “UBER HAS BEEN HACKED (domain admin, aws admin, vsphere admin, gsuite SA) AND THIS HACKERONE ACCOUNT HAS BEEN ALSO”.

The attacker also used this access to send out an email via policy update - which sends an automatic alert to the inboxes of anyone following a particular bounty programme - including a screenshot of a Telegram exchange, providing more details on how the hacker allegedly compromised Uber's systems.

In it, the hacker (identified in the conversation as 'Tea Pot') said that after he had gained access to the intranet, he obtained PowerShell scripts that "contained the username and password for a admin user in [privileged access management tool] Thycotic", which he said allowed him to "extract secrets for all services, [including] DA, DUO, Onelogin, AWS, [and] GSuite".

The New York Times also quoted two Uber employees, who wished to remain anonymous, who said the company had put out a warning to not engage with the company’s Slack channels while the attack was active, and shortly after all employees received a message reading “I announce that I am a hacker and Uber has suffered a data breach.”

There are concerns that younger people are increasingly turning to hacking as a hobby, driven by lack of opportunity amidst the cost of living crisis. A recent report by Censuswide, on behalf of International Cyber Expo, revealed growing concern among parents that hacking could become a pastime for young people.

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

“With hacking tools becoming increasingly accessible and affordable on the internet, we have witnessed a rise in ‘script kiddies’; inexperienced hackers who carry out cyber attacks,” stated Simon Newman, CEO of Cyber Resilience Centre for London and International Cyber Expo Advisory Council member.

“While ‘kiddies’ do not necessarily refer to the hacker’s age so much as their experience, many have been found to be teenagers. In fact, in the UK the average age of a referral to the National Cyber Crime Unit is just 15 years old.”

“Although law enforcement agencies are working hard to take down the websites and forums that promote hacking, the results of this survey also demonstrate a need for parents/guardians to take an active interest in what their children are doing online to prevent them from falling on the wrong side of the law.”

Uber has a history of hacking, having been very publicly compromised in a 2016 attack that resulted in the exposed information of 57 million users of its app and resulted in reputational damage for the firm. In June, a judge decided that the company’s former chief security officer (CSO) Joseph Sullivan would face wire fraud charges for his role in an attempted cover-up of the attack.

Uber declined to provide further comment to IT Pro.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Uber launches infosec hiring spree after attributing breach to LAPSUS$
cyber attacks

Uber launches infosec hiring spree after attributing breach to LAPSUS$

20 Sep 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Uber secures 30-month licence to operate in London
Policy & legislation

Uber secures 30-month licence to operate in London

28 Mar 2022
Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021

Most Popular

Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022