Cyber Security

Uber’s hacker *irritated* his means into its community, stole inside paperwork • Graham Cluley

Written by admin

Uber's hacker *irritated* his way into its network, stole internal documents

Uber has suffered a safety breach which allowed a hacker to interrupt into its community, and entry the corporate’s inside paperwork and methods.

The incident, confirmed by the corporate in a tweet, and reported by the New York Instances, left Uber instructing staff to not use its inside Slack messaging system, and resulted in different methods being made inaccessible.

The hacker, who has shared screenshots of inside Uber methods to substantiate his unauthorised entry, claims to be 18-years-old. He says that he merely – having already decided a legitimate username and password – tricked an Uber workers member into granting him entry to inside methods by bombarding them with a spate of multi-factor authentication (MFA) push notifications.

So-called “MFA fatigue assaults” repeatedly spam push notifications to victims till the consumer is so overwhelmed/irritated/fed-up that they merely grant entry to cease them.

Signal as much as our publication
Safety information, recommendation, and suggestions.

Having gained entry by way of the socially-engineered worker to Uber’s VPN, the hacker is mentioned to have scanned the corporate’s community, and located a PowerShell script containing hardcoded (doh!) credentials for a Thycotic PAM admin account, which then helped unlock entry to a lot of Uber’s inside methods.

Uber’s safety group can’t be feeling too good proper now, and the hacker poured salted into the wound by posting a message on the corporate’s Slack saying that the agency had been breached.

Hello @right here

I announce i’m a hacker and uber has suffered an information breach.

Slack has been stolen, confidential information with Confluence, stash and a pair of monorepos from phabricator have additionally been stolen, together with secrets and techniques from sneakers.


The reality is, in fact, that many many different corporations are most likely liable to falling for the same trick, and should nicely have workers who’ve made the error of hardcoding login credentials into their PowerShell scripts.

Sadly, some workers assumed the message posted by the hacker was a joke.

Many MFA suppliers permit permission to be granted by receiving a telephone name and urgent a key, or accepting a cell app push notification. Though this may be handy, hackers can difficulty a number of MFA requests till their request is lastly accepted.

Because the LAPSUS$ hacking gang, one other group which has exploited MFA fatigue, has beforehand defined:

Signin with password will difficulty MFA by way of a telephone name or authentication app. Nevertheless no restrict is positioned on the quantity of calls that may be made, name the worker 100 instances at 1am whereas he’s attempting to sleep and he’ll greater than possible settle for it.

Multi-factor authentication is mostly a superb further degree of safety to have in place, however it will probably’t be carried out in isolation to different safety measures, and it also needs to be rigorously configured to maximise the extent of safety it will probably convey.

Discovered this text fascinating? Observe Graham Cluley on Twitter to learn extra of the unique content material we put up.

Graham Cluley is a veteran of the anti-virus trade having labored for plenty of safety corporations for the reason that early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he often makes media appearances and is an worldwide public speaker on the subject of pc safety, hackers, and on-line privateness.

Observe him on Twitter at @gcluley, or drop him an e-mail.

About the author


Leave a Comment