Uber says it believes hacker who carried out last week’s breach is affiliated with Lapsus$ extortion group
Uber has said it believes the hacker who carried out last week’s breach of the company’s systems is affiliated with the Lapsus$ group, known for stealing data from companies such as Microsoft, Cisco, NVIDIA, Samsung and Okta with the aim of extorting payments from them.
The ride-hailing giant said the attacker had stolen credentials from an external contractor using a fatigue attack, in which the target is flooded with two-factor login requests until one of them is accepted.
The attacker then breached several other employee accounts that gave them access to tools including Google Workspace and Slack, Uber said.
“The attacker then posted a message to a company-wide Slack channel… and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” Uber said in a statement.
The company said it had not seen indications that the attacker had accessed the systems that powered its apps, user accounts or the databases that store sensitive data such as credit card numbers, bank account information or trip history.
It said it had reviewed its codebase and did not believe the attacker had made any changes.
“We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3),” Uber stated.
The company said its investigation was ongoing and that it was in close contact with the FBI and the US Department of Justice.
The incident on Friday disabled Uber’s internal messaging system, forcing staff to communicate via Salesforce-owned app Slack.
The hacker in question, who uses the name “teapotuberhacker”, reportedly claimed to have leaked early gameplay footage of Rockstar Games’ upcoming game Grand Theft Auto VI on Monday.
The hacker posted a message on a forum about wanting to “negotiate a deal” with Rockstar to stop them from leaking more sensitive data.