Uber suffered an embarrassing breach Thursday as a hacker accessed customer data, employee messaging services and other internal systems.
Claiming to be an 18-year-old hacker going as “Tea Pot,” the anonymous cyber infiltrator, had “full access” to the company’s database, including Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, the Daily Mail reported.
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE
— Sam Curry (@samwcyo) September 16, 2022
“They pretty much have full access to Uber,” Sam Curry, an engineer at Yuga Labs who communicated with the hacker, told The New York Times. “This is a total compromise, from what it looks like.”
Tea Pot mocked Uber employees on Slack, sending nude images of male genitalia and writing “F**K YOU DUMB WANKERS!”
From an Uber employee:
Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
— Sam Curry (@samwcyo) September 16, 2022
Uber employees at first believed the interactions were a joke and continued to log onto internal systems, Curry said.
From another Uber employee:
Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. lmao
— Sam Curry (@samwcyo) September 16, 2022
“I announce I am a hacker and Uber has suffered a data breach,” Tea Pot wrote to employees after accessing the system, according to the New York Times.
While there is no indication the hacker did any damage or sought to sell data, Uber has asked law enforcement to investigate the security breach.
“We are in touch with law enforcement and will post additional updates here as they become available,” Uber said in a tweet but offered no additional details.
The hacker allegedly gained access to the database through security research firm HackerOne, where he posed as an employee with the IT department and conned an employee into giving him their password. From there he was able to access internal systems in what Uber described as a “cybersecurity incident.”
“[We are] in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation,” said HackerOne’s Chief Hacking Officer Chris Evans.
SalesForce, Inc., the parent company of Slack, said they were investigating any vulnerabilities but there was no indication they had been jeopardized in the breach, according to Reuters.
“My gut feeling is that it seems like they are out to get as much attention as possible,” Curry said of Tea Pot.
Among other barbs, Tea Pot said Uber should pay their drivers more.
“The hacker alerted Curry and other security researchers to the intrusion by using and an internal Uber account to comment on vulnerabilities they had previously identified on the company’s network through its bug-bounty program, which pays ethical hackers to identify vulnerabilities,” the Daily Mail reported.
This is not Uber’s first run in with cybersecurity weaknesses. In 2016, the company suffered a breach that exposed the personal information of 57 million customers and drivers and paid $100,000 in ransom for the data. The company’s cybersecurity chief was fired and charged with obstruction for not reporting the incident to the Federal Trade Commission.
“A U.S. judge last month dismissed the three wire fraud charges against Joseph Sullivan although he still faces two charges of obstructing a U.S. Federal Trade Commission proceeding and failing to report a felony,” Reuters reported.
DONATE TO BIZPAC REVIEW
Please help us! If you are fed up with letting radical big tech execs, phony fact-checkers, tyrannical liberals and a lying mainstream media have unprecedented power over your news please consider making a donation to BPR to help us fight them. Now is the time. Truth has never been more critical!
- Nurse given light sentence after injecting THOUSANDS with saline instead of COVID vaccine - December 1, 2022
- MacCallum makes mincemeat out of Kirby who squirms over hypocritical Apple vs Twitter treatment - December 1, 2022
- Mom spends big bucks to have daughter deprogrammed after college… and it worked! - November 29, 2022
Comment
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
BPR INSIDER COMMENTS
Scroll down for non-member comments or join our insider conversations by becoming a member. We'd love to have you!
