Uber Technologies Inc.
on Monday provided additional details in connection with last week’s security breach. The ride-hailing company said an EXT contractor had their account compromised by an attacker, according to a regulatory filing. The company said it is likely the attacker purchased the contractor’s Uber corporate password on the dark web after their personal device had been infected with malware. The contractor accepted a two-factor login approval request after repeated requests from the attacker, resulting in a successful login.
The San Francisco-based company said it believes the attacker or attackers are affiliated with hacking group Lapsus$. The company’s investigation is still ongoing. Uber said it hasn’t seen that the attacker accessed its production systems that power its apps, any user accounts or databases it uses to store sensitive user information. The company added that it reviewed its codebase and hasn’t found that the attacker made any changes. Uber also said it hasn’t found that the attacker accessed any customer or user data stored by its cloud providers. The attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool its finance team uses to manage some invoices, Uber said, adding that it is currently analyzing the downloads. The attacker was able to access its dashboard at HackerOne, but any bug reports the attacker was able to access have been remediated, Uber said.