The Uber banner hangs outside of the New York Stock Exchange. Ride-share company Uber confirmed it was hacked in what appears to be a damaging compromise of internal systems and the company’s accounts for multiple third-party services. (Photo by Spencer Platt/Getty Images)Ride-share company Uber confirmed it was hacked in what appears to be a damaging compromise that includes both internal systems and the company’s accounts for multiple third-party services.Last night, the New York Times reported that Uber was investigating a compromise of its internal systems and had to take a number of its communications and engineering systems offline while employees were warned not to use Slack after the hacker was able to gain access to an employee’s work account and began posting messages advertising the hack.Two hours later, the company confirmed the incident in a Twitter post, while screenshots of internal Uber systems were shared online by security researchers, some of whom claimed to have been in contact with the hacker.
“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” Uber’s communications team wrote.Later in the day, Uber posted an update claiming that there is currently no evidence that sensitive user data like trip histories were accessed, that internal communication and service tools are coming back online and that services like Uber, UberEats, Uber Freight and Uber Driver are all operational. Cybersecurity experts routinely warn that it is very difficult to assess the full scope of a breach in the immediate aftermath.The actor also posted screenshots that indicate they have access to Uber’s administrative account on third-party services like HackerOne, a bug bounty platform, as well as their AWS cloud server.“We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation,” said Chris Evans, CISO for HackerOne.Corben Leo, a security researcher and chief marketing officer at Zellic, told SC Media that he learned directly from the hacker that the individual phished an Uber employee to gain access to Uber’s corporate VPN. From there, they were able to scan Uber’s internal corporate network, where they found administrative user credentials for Uber’s Thycotic account, a privileged access management system, through a shared network resource.“Using this they were able to access Uber's AWS environment, GSuite, Duo (can thus bypass 2FA for anything), OneLogin, get Domain Admin, etc.,” Corben said through a Twitter direct message.Leo told SC Media that beyond that conversation, he has not been in further contact with the hacker.Screenshot of conversation between security researcher Corben Leo and the alleged Uber hacker. (Source: Corben Leo)If those reports turn out to be accurate, it will mark yet another instance where access to a single account resulted in the compromise of a multi-billion dollar company. Companies like Twitter, Microsoft and Okta have all been hacked in a similar fashion. Further, the widespread, ubiquitous access that many employees have to internal systems was one of the chief concerns highlighted by Peiter Zatko, former CISO for Twitter, in his whistleblower complaint against the company earlier this year.While details about the hack are still coming to light, it appears that “a single hard coded password has been used to access [Uber’s] privileged access management system, giving access to any area of the IT environment that links to it,” said Chris Vaughan, area vice president at Tanium.
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.
After infiltrating the SEC's X account via SIM swapping conducted with the help of his co-conspirators, Council proceeded to post fraudulent information regarding the planned approval of cryptocurrency-containing exchange-traded funds, which resulted in a Bitcoin price spike, according to the Justice Department.
Implementation of a backdoor that would enable government access to Apple users' cloud storage data could set a precedent for authoritarian nation-states and threat actors, with Electronic Frontier Foundation's Thorin Klosowski noting the threat of a global emergency stemming from the secret order.
Increasing concerns regarding the potential utilization of Chinese artificial intelligence platform DeepSeek for foreign government surveillance have prompted New York Gov. Kathy Hochul to ban the AI chatbot's usage across all state-issued devices just days after Texas Gov. Greg Abbott issued a similar prohibition for DeepSeek and Chinese-owned social media apps.