Uber has confirmed that the recent breach of its systems started with a compromised account belonging to a contractor.
“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said.
Uber did not explain why, but said that they believe that this attacker are affiliated with the Lapsus$ hacking group.
When the Uber contractor finally accepted the request, the attacker logged into their account and, from there,” the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.
The attacker also posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, Uber added.
Uber says that they have so far found no evidence that the attacker accessed public-facing systems powering their apps, user accounts, or their databases; nor that the attacker made changes to their codebase.