Uber said it was “currently responding to a cybersecurity incident” after reports that a hacker had compromised its systems.
Rafael Enrique | Sopa Images | Lightrocket | Getty Images
On Thursday, Uber said it was investigating a cybersecurity incident after reports the ride-hailing company had been hacked.
“We are currently responding to a cybersecurity incident,” Uber said in a statement on Twitter. “We are in contact with law enforcement and will post further updates here as they become available.”
A hacker gained control of Uber’s internal systems after compromising an employee’s Slack account, according to New York Times, who says he communicated directly with the attacker. Slack, a workplace messaging service, is used by many tech companies and startups for everyday communication. Uber has now disabled its Slack, according to multiple reports.
Uber shares fell 4% in premarket trading on Friday following news of the hack.
After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker then accessed other internal databases, the Times reported. In one Slack message, the hacker is said to have written: “I am announcing that I am a hacker and Uber has suffered a data breach.”
A separate report from The Washington Postsaid the alleged attacker told the newspaper that they hacked Uber for fun and could leak the company’s source code in a few months.
Officials initially thought the attack was a prank and responded to Slack messages from the alleged hacker with emojis and GIFs, the Post reported, citing two people familiar with the matter.
Screenshots shared on Twitter suggest the hacker was also able to take over Uber’s Amazon Web Services and Google Cloud accounts and gain access to internal financial data.
CNBC was unable to independently verify the information. Uber declined to comment beyond its statement posted on Twitter.
While it’s not yet entirely clear how Uber’s systems were compromised, cybersecurity researchers said initial reports indicated the hacker eschewed sophisticated hacking techniques in favor of social engineering. This is where criminals take advantage of people’s gullibility and inexperience to gain access to corporate accounts and sensitive data.
“It’s a pretty low-level attack,” said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf. “Given the access they claim to have gained, I’m surprised the attacker didn’t try to get a ransom or extortion, it looks like they did it ‘for the lulz’.”
“This is proof once again that often the weakest link in your security defense is the human,” McShane added.
News of the attack comes as Uber’s former security chief, Joe Sullivan, faces trial over a 2016 breach in which the records of 57 million users and drivers were stolen. In 2017, the company admitted it covered up the attack and the following year paid $148 million in a settlement with 50 US states and Washington
Uber has tried to clean up its image since the 2017 departure of Travis Kalanick, the controversial former CEO who founded the company in 2009. But scandals and controversies from Kalanick’s tumultuous tenure continue to haunt the company.
In July, The Guardian reported the leak of thousands of documents detailing how Uber is entering cities around the world, even if it means breaking local laws. In one instance, former CEO Travis Kalanick said “violence guarantees success” after he confronted other executives about safety concerns for Uber drivers sent to protest in France.
In response to The Guardian’s report at the time, Uber said the events related to “past conduct” and were “not consistent with our current values.”