Uber suspects a member of the LAPSUS$ hacking gang is behind a recent breach at the ride-hailing provider. In a Monday update about the hack, the company says the culprit infiltrated Uber using techniques similar to those unleashed on other tech companies earlier this year.
LAPSUS$ made waves in February and March when the group successfully stole data from Nvidia, Microsoft, and Samsung, among others. Police in the UK later arrested seven people for their roles in the LAPSUS$ gang. Two of the suspects, a 16-year-old and 17-year-old, were later charged with computer hacking crimes.
However, it’s possible at least one member of LAPSUS$ remains at large. Some of the group’s early targets were in South America, which has caused researchers to suspect other gang members may be based not in the UK, but a continent away.
The hacker who breached Uber reportedly describes himself as an 18-year-old. He’s also been using the screen name “Tea Pot.”
In addition, Uber’s update notes that the hacker may have also orchestrated a breach at Rockstar Games, which led to video leaks of the unreleased Grand Theft Auto VI over the weekend. The attacker who hit Rockstar is using the screen name “teapotuberhacker” in forums, and has claimed responsibility for infiltrating Uber, but without providing evidence. Nevertheless, teapotuberhacker says he breached Rockstar Games by targeting its Slack account.
In its own update, Uber adds: “We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.”
The update goes on to say the hacker breached Uber by targeting a company contractor. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” Uber said.
“The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in,” Uber adds.
Once access was achieved, the hacker was able to break into several other employee accounts, which paved a way to access Uber’s G Workspace and Slack accounts. In response, the ride-hailing company has been investigating its internal systems to find out what was affected.
In some good news, Uber says it found no evidence the hacker ever accessed user account information, including customer credit card numbers. “We reviewed our codebase and have not found that the attacker made any changes,” the company added. “We also have not found that the attacker accessed any customer or user data stored by our cloud providers.”
However, the hacker did download some internal messages on Uber’s Slack account, along with files “from an internal tool our finance team uses to manage some invoices.” Uber adds it's continuing its investigation with the help of several leading forensics firms and is working to bolster its cyber defenses from future attacks.