Uber found its laptop community had been breached on Thursday, main the corporate to take a number of of its inside communications and engineering techniques offline because it investigated the extent of the hack. From a report: The breach appeared to have compromised a lot of Uber’s inside techniques, and an individual claiming accountability for the hack despatched photos of e mail, cloud storage and code repositories to cybersecurity researchers and The New York Occasions. “They beautiful a lot have full entry to Uber,” mentioned Sam Curry, a safety engineer at Yuga Labs who corresponded with the one who claimed to be liable for the breach. “It is a whole compromise, from what it seems to be like.”
An Uber spokesman mentioned the corporate was investigating the breach and contacting legislation enforcement officers. Uber staff had been instructed to not use the corporate’s inside messaging service, Slack, and located that different inside techniques had been inaccessible, mentioned two staff, who weren’t approved to talk publicly. Shortly earlier than the Slack system was taken offline on Thursday afternoon, Uber staff obtained a message that learn, “I announce I’m a hacker and Uber has suffered a knowledge breach.” The message went on to listing a number of inside databases that the hacker claimed had been compromised. BleepingComputers provides: In accordance Curry, the hacker additionally had entry to the corporate’s HackerOne bug bounty program, the place they commented on the entire firm’s bug bounty tickets. Curry instructed BleepingComputer that he first realized of the breach after the attacker left the above touch upon a vulnerability report he submitted to Uber two years in the past. Uber runs a HackerOne bug bounty program that enables safety researchers to privately disclose vulnerabilities of their techniques and apps in alternate for a financial bug bounty reward. These vulnerability studies are supposed to be saved confidential till a repair could be launched to forestall attackers from exploiting them in assaults.
Curry additional shared that an Uber worker mentioned the risk actor had entry to the entire firm’s non-public vulnerability submissions on HackerOne. BleepingComputer was additionally instructed by a supply that the attacker downloaded all vulnerability studies earlier than they misplaced entry to Uber’s bug bounty program. This probably consists of vulnerability studies that haven’t been fastened, presenting a extreme safety danger to Uber. HackerOne has since disabled the Uber bug bounty program, reducing off entry to the disclosed vulnerabilities.