Uber hacked by a teenager using ‘social engineering’ to steal credentials from employee

On an average a single data breach can cost as much as $4.35 million, and cybercrime is expected to cause damages worth more than $10 trillion globally by 2025. Almost all major platforms including Facebook, LinkedIn and Yahoo have been hit by data breaches, with the largest cyberattack hitting Yahoo in 2013 when it lost info on three billion users. The latest to suffer a data breach is ride hailing giant Uber, which was attacked on Thursday afternoon.

The hacker gained access to the company’s vulnerability reports, internal systems, Slack server and emails, before sharing screenshots. The leaked data includes credentials of drivers and sensitive information about customers as well. Uber’s Google Workspace email dashboard was also hacked and the cybercriminal posted messages on its Slack server. Uber acknowledged the attack in a tweet and are investigating the breach in coordination with law enforcement.

Teenage troublemaker

According to a New York Times report, the attacker used social engineering to steal an Uber employee’s password to gain access to critical IT systems. He claims to be 18 years old and hacked the company’s servers because of its weak security systems. The Washington Post also reported that employees thought that the messages by the hacker on Slack were part of a prank.

What’s social engineering?

Social engineering is simply a strategy to interact with users after studying their background and identifying weak security protocols. Manipulation is used to trick the individual into breaking security practices or revealing information which can help decode their credentials. This approach exploits human error rather than looking for vulnerabilities in software, and has been used against Twitter, Robinhood and MailChimp in the past.

The attacker also accessed Uber’s bug bounty account on HackerOne, and commented on vulnerability reports which are meant to be confidential. HackerOne’s CEO has said that Uber’s account has been locked, and the company is now assisting with the investigation.