On Thursday, September 15, a report by The New York Times stated that a hacker had infiltrated the internal networks of US-based global ride sharing services firm, Uber. According to claims, which have since been posted in detail by numerous independent security researchers on Twitter, a hacker breached an Uber employee’s account on messaging service Slack — and used this to gain privileged access to Uber’s internal infrastructure across VMware dashboard, Amazon Web Services, and Google Suite.
According to the NYT report, the breach saw the alleged hacker dupe an employee into misconfiguring their multi-factor authentication that is required to access the company’s Slack messaging service. Once they secured this access, they found credentials to connect to the company’s virtual private network (VPN) — which routes access for Uber’s internal employees to critical information technology (IT) infrastructure.
Bill Demirkapi, an independent security researcher who also works with Microsoft, stated on Twitter that while the breach has not been formally confirmed, the proof of data that has been offered by the hacker in question appears to show legitimate, real-time information that is critical to Uber’s global business operations.
Since then, a Bloomberg report has said that Uber has paused all internal Slack communications as it investigates the breach. A statement on the matter, posted by Uber’s communications team on Twitter earlier today, said that the company is “responding” to a cyber security incident without offering further context on the matter.
“We are in touch with law enforcement and will post additional updates here as they become available,” the statement said.
It also remains unclear as to what the impact of the Uber breach is at the moment — in terms of how the breach would affect the company, or the personal data of users that it possesses. However, access to a company’s critical internal infrastructure could potentially allow individuals to disrupt operations and gather sensitive data about their finances and other working details.
In 2016, a breach of internal systems exposed the personal data of over 25 million individuals through Uber, which led to the company paying a settlement claim of $148 million in the US. As of now, the effects of Uber’s latest claimed data breach remains to be seen.