Uber said it contacted US law enforcement after a hacker apparently hacked into its network.
A security engineer said the intruder provided evidence that he gained access to crucial systems from the ride-sharing service.
There was no indication that Uber’s fleet of vehicles or its operation had been affected in any way.
“It looks like they’ve compromised a lot of things,” said Sam Curry, a Yuga Labs engineer who contacted the hacker.
That includes full access to cloud environments hosted by Amazon and Google where Uber stores its source code and customer data, he said.
Mr Curry said he spoke to several Uber employees who said they were “working to lock everything down internally” to restrict the hacker’s access. This included the San Francisco company’s internal Slack messaging network.
He said there was no indication the hacker caused any damage or was interested in anything other than publicity. “My gut feeling is that it looks like they’re looking to get as much attention as possible.”
The hacker had alerted Mr. Curry and other security researchers to the intrusion on Thursday evening by using an internal Uber account to comment on vulnerabilities they had previously identified in the company’s network through its bug bounty program , which pays ethical hackers to flush out network weaknesses. .
The hacker provided a Telegram account address and Mr Curry and other researchers then engaged them in a separate conversation, sharing screenshots of various pages from Uber’s cloud providers to prove they got in break.
The New York Times reported that the person who claimed responsibility for the hack said he gained access through social engineering. They texted an Uber employee claiming to be a technology employee of the company and persuaded the employee to hand over a password that gave them access to the network.
The Times said the hacker said he was 18 and said he broke in because the company had weak security.
A screenshot posted to Twitter and confirmed by researchers shows a conversation with the hacker in which they say they obtained the credentials of an administrative user through social engineering, which is a popular hacking strategy because humans tend to be the weakest link in any network.
Teenagers used a similar scheme in 2020 to hack Twitter.
Uber said via email that it is “currently responding to a cybersecurity incident. We are in contact with law enforcement.”
The company has already been hacked.
His former security chief, Joseph Sullivan, is currently on trial over allegations that he arranged to pay hackers $100,000 to cover up a 2016 high-tech heist in which the personal information of about 57 million customers and drivers have been robbed.