Uber Hacker May Have Compromised Secret Bug Reports

Written by

Uber appears to have been breached again, after a threat actor reportedly accessed its email and cloud systems, code repositories, internal Slack account and HackerOne tickets.

The ride-hailing giant released a terse message on Twitter yesterday saying it is “currently responding to a cybersecurity incident” and is in touch with law enforcement.

Meanwhile, the alleged hacker sent screenshots to the New York Times and security researchers showing they had access to various internal corporate IT systems.

They reportedly also hijacked an internal Slack account and announced the breach to employees, before posting a pornographic image on a separate intranet page.

Initial access was achieved after the hacker impersonated a member of the IT department and sent an employee a text requesting their password, according to the report. The attacker reportedly claims to be just 18 years old.

Yuga Labs staff security engineer, Sam Curry, who has been interacting with the hacker and Uber employees, explained on Twitter that sensitive vulnerability reports also appear to have been compromised.

“Someone hacked an Uber employee’s HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports,” he said.

That’s potentially serious if the individual wanted to monetize bugs that have yet to be fixed or publicly disclosed.

“The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” he added.

The news comes just a week after the start of a landmark court case in which prosecutors are accusing former Uber chief security officer Joe Sullivan of failing to properly disclose a massive 2016 data breach of 57 million users.

The firm is said to have paid off the threat actors responsible for the breach to the tune of $100,000 in an attempt to keep the incident a secret.

If Sullivan is found guilty, it would be the first time a security professional has been held personally culpable for such an incident.

What’s hot on Infosecurity Magazine?