The bigger they are, the harder they fall.
When it comes to technology companies, the bigger they are, the more weak points they have to take care of.
Failure to even protect one weak link, can result to a catastrophe.
And this is what exactly happened to Uber, the ride-hailing giant, considered amongst the pioneers in the business.
The company is investigating a cybersecurity incident after a hacker claimed to have gained access to its internal network system.
During the investigation, and to "lock down everything internally," the transport company founded by Travis Kalanick, put a number of its internal services offline, including its messaging and engineering services.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
The person claiming responsibility for the hack, said that he gained access to Uber’s internal systems by posing as a corporate information technology person and convincing a company employee to share a password with him.
And the alleged hacker, is only 18 years old.
Using the password he was given, the hacker could get inside Uber's internal systems, and was free to roam.
For example, the hacker gained access to Uber's corporate VPN and its cloud-based services, and used that privilege to access internal documents, and discover even more login credentials for other services and areas.
The hacker then used the escalating privilege to go even deeper into the company’s broader environment.
After doing what he wanted to do, the hacker accessed the internal messaging service Slack through the Uber employee's account, and sent employees a message saying, “I announce I am a hacker and Uber has suffered a data breach.”
The message was followed by a bunch of reaction emojis, including siren symbols.
As a proof, the hacker sent images of email, cloud storage and code repositories he stole to The New York Times, the news agency that first reported the case to the public.
He also posted a picture of a penis on the company’s internal websites.
Fortunately for Uber, it's reported that there has been no indication that Uber's fleet of vehicles, its customers or payment data have been affected by the hack.
There is also no indication that the hacker had done any internal damage.
Uber released a statement to say that there was “no evidence" that the hacker had accessed "sensitive user data (like trip history)."
However, the company didn't provide much context for what that means.
While the alleged hacker is just 18 years old, it is reported that he has been working on his cybersecurity skills for several years, and hacked the Uber because "they had weak security".
When announcing the breach in the Slack message, the person also said that Uber drivers should receive higher pay.
"It was really bad the access he had. It's awful," said Corbin Leo, one of the researchers who chatted with the hacker online.
This is because according to the screenshots the person shared, the teenage hacker also got access to Uber data stored on Amazon and Google cloud-based servers, where the company keeps its source code, financial data and customer data such as driver's licenses.
"If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people's passwords," explained Leo, who is also the head of business development at the security company Zellic.
According to Sam Curry, an engineer working for Yuga Labs, who also communicated with the hacker, said there was no indication that the hacker had done any damage or was interested in anything more than publicity.
After making sure that no holes are left open for the 18-year-old, Uber resumed all its internal services.
In a statement posted online, Uber said "internal software tools that we took down as a precaution yesterday are coming back online."
It said that all its services, including Uber Eats and Uber Freight, are operational.
It's worth noting though, that both Curry and Leo said the hacker did not indicate how much data was copied. What's more, Uber did not recommend any specific actions for its users, such as changing passwords.
Also at: https://t.co/xMZw2e7l8h
— Uber Comms (@Uber_Comms) September 16, 2022
Both Curry and Leo managed to personally contact the hacker, following the hacker's alert.
The hacker used an internal Uber's HackerOne account on the company's network used to post vulnerabilities identified through its bug-bounty program, which pays ethical hackers to help patch its systems.
After commenting on those posts, the hacker provided a Telegram account address, where Curry and Leo then used to engage with the hacker.
In the tech world, where multi-factor authentication has become common, and brute forcing a password can take forever, social engineering has become a popular hacking strategy.
Instead of using malware to create backdoors, social engineering make use of the fact that humans tend to be the weakest link in any network.
In this cybersecurity incident, the hacker never hacked his way in.
Instead, he was using social engineering trick to fool an unsuspecting Uber employee into giving him the key.
Without having to break into anything, the 18-year-old simply had to walk into the front door.
In a follow up news, posted to its Security Update page, Uber published additional information about how it was hacked, claiming that it was targeted by Lapsus$, the cybercriminal gang with a hefty track record that is thought to be composed largely of teenagers.
Read: Teen Arrested, With The Accusation Of Being The Mastermind Behind Lapsus$ Hacking Group