Ride hailing giant Uber says its services are operational following a “cybersecurity incident” last week that saw a hacker break into the company’s network and access systems that store vast troves of customer data.
Uber said little about the incident until Monday. Screenshots of inside Uber’s network posted to Twitter by security researchers in conversations with the hacker showed access to internal dashboards, the company’s Slack and its HackerOne accounts. Uber said in its Monday update that the hacker stole some internal information and Slack messages, but that no sensitive information — like credit card data and trip histories — was taken, leaving open the question if other personal user information was compromised.
The hacker, who claims to be an 18-year-old, told security researchers that they broke into Uber’s systems by stealing an employee’s password and also tricking the employee into approving the attacker’s push notification for Uber’s multi-factor authentication, or MFA.
Once they had that critical foothold on Uber’s network, the hacker claimed to find a network share containing high-privilege credentials that allowed them near-unfettered access to the rest of the company’s systems.
Do you have a complaint about Uber or Uber Eats, such as overcharges or fraud? Take your claim to FairShake, the consumer advocacy service.