IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Uber launches infosec hiring spree after attributing breach to LAPSUS$

The company also hinted at the belief that LAPSUS$ was also behind the attack on Rockstar Games over the weekend in a revealing update detailing the inner workings of the attack

Uber has embarked on a hiring spree for security personnel in the wake of its data breach last week and has also revealed new details about who was behind the attack.

On Friday last week, several open positions appeared on LinkedIn just one day after the ride-hailing tech giant confirmed the breach to the public. 

Roles that are still open for applications include senior security incident commander to lead incident response, security engineer and security engineering manager at the company's threat detection division, and senior security engineers across applications security, enterprise security, and investigations. 

The positions opened for applicants the day after the attack was confirmed and shows Uber’s commitment to tightening its security following the breach.

In an update to customers on Monday, Uber also confirmed several other details about who was behind the attack and how the cyber criminals were able to successfully breach the company. 

Uber attributed the attack to the LAPSUS$ hacking group which came to prominence in early 2022, claiming successful attacks on major companies such as Microsoft, Okta, Nvidia, Samsung, and T-Mobile.

The group has been described as both “competent and incompetent at the same time” by experts and is believed to be run by young cyber criminals in Portugal, Brazil, and the UK whose ages range between 16 and 21.

Unlike many emerging cyber criminal organisations, LAPSUS$ does not operate on a ransomware model and in the case of the Uber hack, the company said the group managed to gain access to a contractor’s account by spamming multi-factor authentication (MFA) prompts.

Uber believed the contractor’s device had been infected with malware, allowing hackers to steal credentials and sell them to LAPSUS$ on the dark web. 

From there, the attackers repeatedly tried to gain access to the contractor’s account using the stolen credentials, and the repeated attempts would have delivered a frustrating number of prompts to the contractor’s phone.

The contractor eventually accepted one of the prompts allowing the attackers full access to their account.

This is a known attack method in the industry and relies on sending so many prompts that the target becomes annoyed with all the notifications and accepts one to make them stop. 

LAPSUS$ is also known for having deployed such tactics in the past, saying they prefer to carry them out while the target sleeps to maximise effectiveness.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G Suite and Slack,” said Uber. 

“The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

Uber said the attackers were able to access and download Slack messages - the content of which was not specified - and download data from its finance team’s invoice management tool.

Related Resource

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Whitepaper cover with title over a grey rectangle and a dark header banner with turquoise lines and ESG logoFree Download

LAPSUS$ also accessed Uber’s HackerOne dashboard. HackerOne is a security bug and vulnerability reporting platform, though the only reports available to the hackers were regarding vulnerabilities that had already been remediated, Uber said.

The company confirmed nothing else was affected, including its code base or any of its public-facing apps or technologies.

Uber also confirmed that LAPSUS$ was unable to access any customer data stored by its cloud providers, including AWS’ S3.

“We’re working with several leading digital forensics firms as part of the investigation,” said Uber, which also said the investigation is still ongoing. 

“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”

The Rockstar link

Uber also revealed that it believed LAPSUS$ was the hacking group behind the recent breach of Rockstar Games - the developers of popular video game franchises such as Grand Theft Auto and Red Dead Redemption.

The studio announced over the weekend that it had fallen victim to a significant data breach which involved the leaking of footage from the company's pre-alpha version of the upcoming Grand Theft Auto VI game.

“We recently suffered a network intrusion in which an unauthorised third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto [game],” said Rockstar Games.

Uber said it is working with the FBI and US Justice Department to investigate the incident further. It’s unclear if the authorities are also investigating the incident at Rockstar Games, too.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download


Uber hacked via basic smishing attack

Uber hacked via basic smishing attack

16 Sep 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Uber secures 30-month licence to operate in London
Policy & legislation

Uber secures 30-month licence to operate in London

28 Mar 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Cloud and cyber security certifications remain highest paying for IT professionals
Careers & training

Cloud and cyber security certifications remain highest paying for IT professionals

29 Sep 2022