Uber blames security breach on Lapsus$, says it bought credentials on the dark web
The hacking group apparently gained access to several internal Uber systems after stealing a third-party contractor's credentials and then convincing the contractor to approve a two-factor authentication request.
Uber said it is in close coordination with the FBI and US Justice Department on the matter.
While the attackers accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it doesn't appear that the attackers accessed any customer or user data stored by its cloud providers.
The hackers did download some internal messages, as well as information from an internal finance team. They also accessed Uber's dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated, Uber said.
On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The hacker then reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites.
The hacking group told the New York Times that they gained access to Uber's systems through a social-engineering scheme. They sent a text message to an Uber employee claiming to be a corporate IT staffer, which persuaded the staff member to reveal a password.
However, Uber clarified Monday that the hacker gained access using credentials from a third-party contractor. Furthermore, the company said it's "likely" that the Lapsus$ hacker obtained the contractor's Uber corporate password by purchasing it on the dark web, after the contractor's personal device had been infected with malware.
After that, Uber said, the hacker repeatedly tried to log in to the contractor's Uber account but was stymied by a two-factor login approval request. However, the contractor eventually accepted one of those requests. From there, the hacker obtained elevated permissions to a number of internal tools, including G-Suite and Slack.