On Monday, September 19, Uber posted on its blog updates about the security breach that happened on September 15 and affected several internal systems.

The company pointed to the Lapsus$ hacking group as the authors of the attack, but the investigation is still ongoing. Uber collaborates with the FBI and US Justice Department on the matter.

Lapsus$ is a South American hacking group responsible for a series of attacks on technology giants like Microsoft, Samsung, and Okta.

What Data Was Affected by the Breach

The cybercriminals reached several internal systems, however, Uber says that no sensitive data was stolen.

First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.


Lapsus$ managed to exfiltrate some internal messages and financial information, and access several internal tools, including G-Suite and Slack.

A big red flag was that the attackers infiltrate Uber’s dashboard at HackerOne accessing reports about bugs and vulnerabilities discovered by cybersecurity specialists on Uber apps. But the company announced that bugs have been fixed since then.

“On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The hacker then reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”, according to ZDNet.

How Was the Attack Possible

Initially, The New York Times announced that hackers gained access through social engineering. They had information about an employee that was tricked to give up his credentials to a false corporate IT staffer.

But Uber says that Lapsus$ hackers used credentials from a third-party vendor. These credentials were most probably purchased from the Dark Web after malware had corrupted the contractor’s personal device.

The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.


If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Uber Announces Major Security Breach

What Is a Data Breach and How to Prevent It

Is Uber Safe? All Your Questions Answered

Leave a Reply

Your email address will not be published. Required fields are marked *