Uber said Friday it was investigating a “cybersecurity incident” and declined to comment on reports that a young hacker had gained access to the ride-hailing company’s digital network.
The California company spread news of the attack Thursday night in a tweet and then a hacker who said he was 18 years old posted screenshots taken from inside Uber’s computers.
“He says that he simply, after determining a valid username and password, tricked an Uber staff member into granting him access to internal systems,” independent cybersecurity analyst Graham Cluley said on his website.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.— Uber Comms (@Uber_Comms) September 16, 2022
Online comments allegedly made by the hacker indicated that he targeted an Uber employee with notifications for more than an hour and then communicated with the worker via WhatsApp, claiming to be a member of the company’s technical support team.
“Many other companies are likely at risk of falling for a similar scam,” Cluley said.
Uber said Friday that all of its services were operational and that it had “no evidence that the incident involved access to sensitive data,” such as users’ trip history.
Employee software tools, out of operation as a precautionary measure, were gradually being restarted, the San Francisco-based company added.
“There’s a reason why cybersecurity experts say the human factor is often the weakest link,” said Ray Kelly, a member of Synopsys Software Integrity Group in Silicon Valley.
“Whether it’s through phishing, with SMS attacks or with a simple phone call to get an employee to give up their credentials, ‘social engineering’ will be the easiest route for an actor with bad intentions.”