Uber on Thursday said it is investigating a cybersecurity incident following reports that the ride-hailing company had been hacked.
“We are currently responding to a cybersecurity incident,” Uber said in a statement on Twitter. “We are in touch with law enforcement and will post additional updates here as they become available.”
A hacker gained control over Uber’s internal systems after compromising the Slack account of an employee, according to the New York Times, which says it communicated with the attacker directly. Slack, a workplace messaging service, is used by many tech companies and startups for everyday communications. Uber has now disabled its Slack, according to multiple reports.
Shares of Uber declined 5% Friday on news of the hack.
After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker then went on to access other internal databases, the Times reported. In one Slack message, the hacker is said to have written: “I announce I am a hacker and Uber has suffered a data breach.”
A separate report, from the Washington Post, said the alleged attacker told the newspaper they had breached Uber for fun and could leak the company’s source code in a matter of months.
Employees initially thought the attack to be a joke and responded to Slack messages from the alleged hacker with emojis and GIFs, the Post reported, citing two people familiar with the matter.
CNBC was unable to independently verify the information. Uber declined to comment beyond its statement posted on Twitter.
While it’s not entirely clear yet how Uber’s systems were compromised, cybersecurity researchers said initial reports indicate the hacker eschewed sophisticated hacking techniques in favor of social engineering. This is where criminals prey on people’s credulity and inexperience to gain entry to corporate accounts and sensitive data.
“This is a pretty low-bar to entry attack,” said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf. “Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it ‘for the lulz’.”
“It’s proof once again that often the weakest link in your security defenses is the human,” McShane added.
Sam Curry, a self-described “bug bounty hunter” said he’d been in contact with the alleged Uber hacker and claimed that the employee targeted was involved in incident response. Curry said this means that the hacker likely had “elevated access to begin with.” Bug bounties are rewards offered by companies to hackers for the discovery of software vulnerabilities.
“From my understanding, the attacker had keys to the kingdom after obtaining an internal file with credentials to nearly everything,” he added. Curry works for crypto startup Yuga Labs as a security engineer and says he spoke with the hacker via Telegram, an instant messaging platform.
News of the attack comes as Uber’s former security chief, Joe Sullivan, is standing trial over a 2016 breach in which the records of 57 million users and drivers were stolen. In 2017, the company admitted to concealing the attack and, the following year, paid $148 million in a settlement with 50 U.S. states and Washington, D.C.
Uber has attempted to clean up its image in the wake of the exit of Travis Kalanick in 2017, the controversial former CEO who founded the company in 2009. But scandals and controversies from Kalanick’s tumultuous tenure continue to haunt the firm.
In July, The Guardian reported on the leak of thousands of documents which detailed how Uber pushed into cities around the world, even if it meant breaking local laws. In one instance, former CEO Travis Kalanick said that “violence guarantees success” after being confronted by other executives about concerns for the safety of Uber drivers sent to a protest in France.
In response to The Guardian’s reporting at the time, Uber said the events were related to “past behavior” and “not in line with our present values.”