Lessons from Uber’s Recent Breach

On Sept 15th a curious teenage hacker looking for fun, compromised Uber in a serious way, gaining administrative access to the company’s massive cloud instance, development environments, tools, and even their access management server! The hacker joked with how terribly easy it was and shared proof with news outlets, on hacker message boards, and even with employees on Uber’s internal Slack communication tool.

The attack was not masterful, but rather simple, and yet snowballed into a massive data breach.

This is not the first big breach that Uber has experienced. Back in 2016 another breach occurred, affecting 57 million people, and executives tried to conceal it. That resulted in a $148 million dollar fine and an agreement with the FTC to maintain a comprehensive privacy program for 20 years.

As for this recent hack, it started with a simple social engineering attack that granted access to the internal network, then while snooping around a PowerShell script was found that contained administrator level access which cascaded into Super Admin permissions across the company.

Security experts describe this hack as a “total compromise”, which is a term not often used.