According to Uber, the hack was initiated when one of the Uber EXT contractor account was compromised by the attackers.
Uber, the ride hailing app, recently gave out a statement naming the infamous hacker group Lapsus$ for the breach its network faced.
Uber has explained in a detailed account how their network was breached and if any sensitive data was taken.
According to Uber, the hack was initiated when one of the Uber EXT contractor account was compromised by the attackers. They believe that they got the account information and login for the contractor from the dark web.
“The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in,” Uber said.
After the many repeated attempts the attackers were finally able to get into the contractor Uber account from which they snaked their way into other accounts of employees.
“The attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack,” said the statement from uber.
Uber said that their security measures helped them to quickly find out the issue and resolve it.
Below are some actions that the company took and detailed in its report:
-They identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
-They disabled many affected or potentially affected internal tools.
-They rotated keys (effectively resetting access) to many of our internal services.
-Uber locked down our codebase, preventing any new code changes.
-When restoring access to internal tools, Uber required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
-They added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
They also said that the attackers did not get any user sensitive data like user trips, account info or payment information taken or exposed in the attack. However, they did see that the attackers downloaded some slack messages and info of an internal tool used by the company’s finance team in regard to invoices.