Uber was hacked, and it had to take its internal messaging service and engineering systems offline to investigate the incident, according to The New York Times. Sources who talked to the publication said employees were instructed not to go on Slack, where the bad actor had posted a message that read “I announce I am a hacker and Uber has suffered a data breach” (along with a bunch of emoji) before it was pulled offline. In a tweet confirming the breach, the company said that it’s currently responding to a cybersecurity incident and that it’s now in touch with law enforcement.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
The company didn’t say what exactly the hacker was able to access and if user data was compromised. The Times says the hacker’s Slack message also listed databases they claim they were able to infiltrate, though. And based on screenshots seen by The Washington Post, the bad actor boasted about being able to gather internal code and messaging data. An Uber spokesperson explained that the bad actor was able to post on the company Slack after compromising a worker’s account. They then gained access to Uber’s other internal systems and posted an explicit photo on an internal page.
Bug bounty hunter and security researcher Sam Curry tweeted information reportedly from an Uber employee that could be about that explicit photo:
From an Uber employee:
Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
— Sam Curry (@samwcyo) September 16, 2022
Uber admitting the incident and getting in touch with authorities shortly after it happened is a massive departure from how it handled the data breach it suffered back in 2016. The company hid that attack for a year and instead of reporting the incident, it paid the hackers $100,000 to delete the information they stole. Former Uber security chief Joseph Sullivan was fired and eventually charged with obstruction of justice for the role he played in the coverup, though his lawyers argued that he was used as a scapegoat. Uber settled with the Justice Department for failing to disclose the breach in July this year.