Uber Technologies Inc. has suffered yet another data breach, with a hacker sharing the stolen data on BreachForums, the successor forum for the now-shuttered RaidForums.
The unimaginative hacker goes by the name of “UberLeak” with a post on BreachForums that reads “hacked by autistic fisherman Arion and scammed all LAPSUS$ members.” Lapsus$ is an infamous hacking group, but aside from the forum post, there is no indication of any link to the group.
The leaked data includes numerous archives claiming to be source code associated with the mobile device management platforms used by Uber, the company’s food delivery service Uber Eats and third-party vendor services. No Uber user information was found in the stolen data versus internal code and Uber corporate data. However, the stolen data did include the details of 77,000 Uber employees.
“Given that the data is now publicly accessible, as opposed to being sold to a single party, anyone could use it to launch targeted phishing attacks against Uber employees,” Paul Bischoff, privacy advocate at tech research site Comparitech Ltd., told SiliconANGLE. “These attacks could trick Uber staff into giving up login credentials, leading to further, more consequential attacks. Even if only a handful of employees out of the 77,000 affected were to fall victim to a phishing scam, it could be detrimental to Uber and its customers.”
A spokesperson for Uber told Bleeping Computer that the “files are related to an incident at a third-party vendor and are unrelated to our security incident in September.” The security incident in September was reported at the time as involving a hacker breaching internal systems and leaving messages that they had accessed critical information.
Uber pointed to a security notice from IT asset management software company Teqtivity Inc. The breach notification statement states that a malicious third party was able to again to the company’s Amazon Web Services Inc. backup server that housed Teqtivity code and data files related to customers.
The number of times Uber has hacked and/or suffered data breaches is notable as they are difficult to count. To say that Uber was breached yet again is to say the sun rises in the east. Companies have shut down for far less than Uber’s ongoing and appallingly bad cybersecurity, but every time they seemingly get a free pass.
Among nearly countless Uber data breaches, its most infamous data breach occurred in 2016. It wasn’t even the theft of 57 million personally identifiable information customer records that most will remember the data breach for as opposed to that former Uber Chief Security Officer Joe Sullivan covered it up.
Sullivan was found guilty of obstruction of justice and “misprision” or concealment of a felony in October. As noted when he was found guilty, Sullivan had previously played a pivotal role in responding to U.S. Federal Trade Commission inquiries about Uber’s cybersecurity practices following an earlier breach in 2014.
“Unfortunately due to historical events, Uber will not only continue to be a target but will also be under a microscope when it comes to security incidents,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., explained. “If this is indeed data collected from a third party, it does serve to remind organizations that any time other parties have access to information, it can potentially be an issue.”
Stephan Chenette, co-founder and chief technology officer at real-time cybersecurity readiness company AttackIQ Inc. noted that “besides the high-profile breach that occurred three months ago that caused the company’s internal databases to be hacked, Uber also faced other significant attacks in the past, such as a massive data breach in 2016 that exposed the data of about 57 million customers and drivers.”
“The failed protection of a third-party vendor in the most recent attack reveals that companies everywhere must better prioritize their cybersecurity measures,” Chenette added.