www.wired.com Open in urlscan Pro
151.101.2.194  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content

Open Navigation Menu
Menu
Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert
Close

The Uber Hack’s Devastation Is Just Starting to Reveal Itself
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert
Close
Sign In

SUBSCRIBE


GET WIRED
+ A FREE TOTE

SUBSCRIBE
Search
Search
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

 * Podcasts
 * Video
 * Artificial Intelligence
 * Climate
 * Games
 * Newsletters
 * Magazine
 * Events
 * Wired Insider
 * Coupons

Get WIRED for just $29.99 $10. Plus, get a free tote! Get WIRED for just $29.99
$10. Subscribe now. Subscribe now. Subscribe now.
Get 1 year of WIRED for just $29.99 $10. Get WIRED for just $29.99 $10.

Enjoy unlimited access to WIRED.com and the print edition of the magazine for
less than $1 per month.
Plus, get a free tote!

Plus, get a free tote!

SUBSCRIBE SUBSCRIBE SUBSCRIBE

Already a subscriber? Sign-In



Lily Hay Newman

Security
Sep 16, 2022 5:35 PM


THE UBER HACK’S DEVASTATION IS JUST STARTING TO REVEAL ITSELF

An alleged teen hacker claims to have gained deep access to the company’s
systems, but the full picture of the breach is still coming into focus.
 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.

Photograph: David Paul Morris/Bloomberg/Getty Images

 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.



On Thursday evening, ride-share giant Uber confirmed that it was responding to
“a cybersecurity incident” and was contacting law enforcement about the breach.
An entity that claims to be an individual 18-year-old hacker took responsibility
for the attack, bragging to multiple security researchers about the steps they
took to breach the company. The attacker reportedly posted, “Hi @here I announce
I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack
on Thursday night. The Slack post also listed a number of Uber databases and
cloud services that the hacker claimed to have breached. The message reportedly
concluded with the sign-off, “uberunderpaisdrives.”

The company temporarily took down access on Thursday evening to Slack and some
other internal services, according to The New York Times, which first reported
the breach. In a midday update on Friday, the company said that “internal
software tools that we took down as a precaution yesterday are coming back
online.” Invoking time-honored breach-notification language, Uber also said on
Friday that it has “no evidence that the incident involved access to sensitive
user data (like trip history).” Screenshots leaked by the attacker, though,
indicate that Uber's systems may have been deeply and thoroughly compromised and
that anything the attacker didn't access may have been the result of limited
time rather than limited opportunity.

“It’s disheartening, and Uber is definitely not the only company that this
approach would work against,” says offensive security engineer Cedric Owens of
the phishing and social engineering tactics the hacker claimed to use to breach
the company. “The techniques mentioned in this hack so far are pretty similar to
what a lot of red teamers, myself included, have used in the past. So,
unfortunately, these types of breaches no longer surprise me.”



The attacker, who could not be reached by WIRED for comment, claims that they
first gained access to company systems by targeting an individual employee and
repeatedly sending them multifactor authentication login notifications. After
more than an hour, the attacker claims, they contacted the same target on
WhatsApp pretending to be an Uber IT person and saying that the MFA
notifications would stop once the target approved the login. 

Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take
advantage of authentication systems in which account owners simply have to
approve a login through a push notification on their device rather than through
other means, such as providing a randomly generated code. MFA-prompt phishes
have become more and more popular with attackers. And in general, hackers have
increasingly developed phishing attacks to work around two-factor authentication
as more companies deploy it. The recent Twilio breach, for example, illustrated
how dire the consequences can be when a company that provides multifactor
authentication services is itself compromised. Organizations that require
physical authentication keys for logins have had success defending themselves
against such remote social engineering attacks.



 The phrase "zero trust" has become a sometimes meaningless buzzword in the
security industry, but the Uber breach seems to at least show an example of what
zero trust is not. Once the attacker had initial access inside the company, they
claim they were able to access resources shared on the network that included
scripts for Microsoft's automation and management program PowerShell. The
attackers said that one of the scripts contained hard-coded credentials for an
administrator account of the access management system Thycotic. With control of
this account, the attacker claimed, they were able to gain access tokens for
Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite,
VMware's vSphere dashboard, the authentication manager Duo, and the critical
identity and access management service OneLogin.

Featured Video



Internet Expert Debunks Cybersecurity Myths



Most Popular
 * gear
   Android’s New Notification Feature Is a Decade Overdue
   
   Eric Ravenscraft

 * gear
   The Best Sex Toys for Every Body
   
   Jaina Grey

 * gear
   The Best iPhone 14 Cases and Accessories
   
   Julian Chokkattu

 * science
   The World Has Reached Peak Attenborough
   
   Matt Reynolds

 * 





Screenshots leaked by the attacker support the claims of this deep access,
including to OneLogin. In an analysis on Friday, researchers from the
cybersecurity firm Group IB suggested that the attacker may have first breached
Uber earlier this week and only made their presence known on Thursday.



One independent security engineer described the OneLogin account access the Uber
hacker seems to have had access to as “the golden ticket jackpot.”



“That’s God—they own that there’s nothing they can’t access," the security
engineer added. "It’s Disneyland. It’s a blank check at the candy shop and
Christmas morning all rolled up together. But sure, customer ride data wasn’t
impacted. OK.” 

The situation at Uber comes on the heels of congressional testimony on Wednesday
from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked
whistleblower protections as part of accusations alleging deplorable security
practices within the social media giant. Zatko's testimony this week got
senators fired up about the importance of security within Big Tech. But in the
past, even the direst and rattling hacks have led only to incremental progress
on the most basic best practices. Zatko's testimony did not seem to impact
Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday
morning, but it had partly recovered by the closing bell.

For now, the full scope of the situation inside the ride-sharing giant remains
unknown.

"I think there are a lot of opportunities to work on detections and preventions
proactively," offensive security engineer Owens says. “This can be difficult to
execute in practice, though, when you have lots of other fires to put out,
political challenges inside of an organization, et cetera. Maybe I’m slowly
becoming jaded since I’ve been around in this space for a while.”






MORE GREAT WIRED STORIES

 * 📩 The latest on tech, science, and more: Get our newsletters!

 * My 4 days in fake gay-conversion therapy

 * How to buy and use a burner phone 

 * A new approach to batteries is about to transform EVs

 * Greenland's glaciers spew a complicated treasure

 * Who pays for an act of cyberwar?

 * 👁️ Explore AI like never before with our new database

 * ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums
   to affordable mattresses to smart speakers

Lily Hay Newman is a senior writer at WIRED focused on information security,
digital privacy, and hacking. She previously worked as a technology reporter at
Slate magazine and was the staff writer for Future Tense, a publication and
project of Slate, the New America Foundation, and Arizona State University.
Additionally... Read more
Senior Writer
 * Twitter

TopicssecurityhackingvulnerabilitiesUber
More from WIRED
iOS Can Stop VPNs From Working as Expected—and Expose Your Data
A security researcher claims that Apple mobile devices keep connections open if
they are created before a VPN is activated.

Kevin Purdy, Ars Technica

A Single Flaw Broke Every Layer of Security in MacOS
An injection flaw allowed a researcher to access all files on a Mac. Apple
issued a fix, but some machines may still be vulnerable.

Matt Burgess


You Need a Password Manager. Here Are the Best Ones
Keep your logins locked down with our favorite apps for PC, Mac, Android,
iPhone, and web browsers.

Scott Gilbertson

Apple Just Killed the Password—for Real This Time
Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and
websites. It’s only the beginning.

Matt Burgess

How to Use Signal Encrypted Messaging
The best end-to-end encrypted messaging app has a host of security features.
Here are the ones you should care about.

Brian Barrett

A New Tractor Jailbreak Rides the Right-to-Repair Wave
A hacker has formulated an exploit that provides root access to two popular
models of the company’s farm equipment.

Lily Hay Newman

The Hacking of Starlink Terminals Has Begun
It cost a researcher only $25 worth of parts to create a tool that allows custom
code to run on the satellite dishes.

Matt Burgess

Here’s What Trump’s ‘Nuclear Documents’ Could Be
FBI agents reportedly searched Mar-a-Lago for “nuclear documents.” That can fall
into one of these four categories.

Garrett M. Graff







ONE YEAR FOR $29.99 $10

Get WIRED

SUBSCRIBE
WIRED is where tomorrow is realized. It is the essential source of information
and ideas that make sense of a world in constant transformation. The WIRED
conversation illuminates how technology is changing every aspect of our
lives—from culture to business, science to design. The breakthroughs and
innovations that we uncover lead to new ways of thinking, new connections, and
new industries.
 * Facebook
 * Twitter
 * Pinterest
 * YouTube
 * Instagram
 * Tiktok

More From WIRED

 * Subscribe
 * Newsletters
 * FAQ
 * Wired Staff
 * Press Center
 * Coupons
 * Editorial Standards

Contact

 * Advertise
 * Contact Us
 * Customer Care
 * Jobs

 * RSS
 * Site Map
 * Accessibility Help
 * Condé Nast Store
 * Condé Nast Spotlight
 * Cookies Settings

© 2022 Condé Nast. All rights reserved. Use of this site constitutes acceptance
of our User Agreement and Privacy Policy and Cookie Statement and Your
California Privacy Rights. WIRED may earn a portion of sales from products that
are purchased through our site as part of our Affiliate Partnerships with
retailers. The material on this site may not be reproduced, distributed,
transmitted, cached or otherwise used, except with the prior written permission
of Condé Nast. Ad Choices