Uber says Lapsus$ hackers behind network breach

Uber has traced its recent high-profile breach to the theft of a contractor's account credentials by alleged members of the Lapsus$ hacking group.

In an updated statement made Monday, the transportation company said the lone account was used as the springboard for a wide-ranging compromise within its corporate network that resulted in a data leak last week.

"We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so," Uber said in a statement. "This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others."

According to Uber, the breach began when one of its external contractors had their account credentials lifted by the attacker. The contractor's credentials were easy enough for the hacker to obtain. According to Uber's statement, investigators believe the username and password were likely obtained from a previous malware on the dark web.

However, getting around two-factor authentication (2FA) for the account required multiple attempts. Uber said the attacker repeatedly attempted to log into the account, generating many 2FA approval notifications in an attack technique known as "MFA bombing." Uber said the contractor eventually clicked on one of the approval requests, which gave the attacker access to the account.

Once inside Uber's network, the attacker elevated privileges by taking over additional accounts. They eventually obtained access and read privileges for several important internal systems, including Uber's internal source code repositories, Slack messages, finance tools and resolved bug reports from its HackerOne bug bounty portal.

"We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3)," Uber said.

"It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads."

Uber said it does not believe that any customer account or payment information was accessed or exposed in the attack.

Uber's latest report sheds new light on what was already a high-profile data breach. The hackers spent much of last week publicizing their haul of corporate information and openly taunting the ride-sharing giant for its allegedly lax network security and data protections.

Such activity further substantiates Uber's claim that Lapsus$ was behind the breach. The extortion crew prefers widespread publicity over keeping its exploits low-key and pursuing ransoms.

Lapsus$ achieved notoriety this year with attacks on Okta, Nvidia, and Cisco. In its statement, Uber referenced the recent breach of video game publisher Rockstar Games, which saw a leak of confidential material related to the company's forthcoming installment of the popular Grand Theft Auto series. The hacker, who also claimed responsibility for the Uber breach, went on a data-dumping spree this weekend, leaking dozens of internal gameplay videos.

Uber said it is working with both law enforcement and external forensics investigators to track down the attackers responsible.