Uber blames security breach on Lapsus$, says it bought credentials on the dark web

The hacking group apparently gained access to several internal Uber systems after stealing a third-party contractor's credentials and then convincing the contractor to approve a two-factor authentication request.
Written by Stephanie Condon, Senior Writer
Person holding a phone that says Uber, with a car in the background
Image: Getty Images

The security breach that hit Uber last week was the work of Lapsus$, Uber said in a blog post Monday. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, and Okta.  

Uber said it is in close coordination with the FBI and US Justice Department on the matter. 

While the attackers accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn't appear that the attackers accessed any customer or user data stored by its cloud providers. 

Also: The future of the web will need a different sort of web developer

The hackers did download some internal messages, as well as information from an internal finance team. They also accessed Uber's dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated, Uber said. 

On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The hacker then reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites.

The hacking group told the New York Times that they gained access to Uber's systems through a social-engineering scheme. They sent a text message to an Uber employee claiming to be a corporate IT staffer, which persuaded the staff member to reveal a password. 

Also: GPS jammers are being used to hijack trucks and down drones

However, Uber clarified Monday that the hacker gained access using credentials from a third-party contractor. Furthermore, the company said it's "likely" that the Lapsus$ hacker obtained the contractor's Uber corporate password by purchasing it on the dark web, after the contractor's personal device had been infected with malware.

After that, Uber said, the hacker repeatedly tried to log in to the contractor's Uber account but was stymied by a two-factor login approval request. However, the contractor eventually accepted one of those requests. From there, the hacker obtained elevated permissions to a number of internal tools, including G-Suite and Slack.

Editorial standards