Skip to main content

Uber says ‘no evidence’ user accounts were compromised in hack

Uber says ‘no evidence’ user accounts were compromised in hack

/

An 18-year-old hacker gained administrator access to the company’s internal software systems

Share this story

Uber company name written on a multicolored background.
Illustration by Alex Castro / The Verge

Uber says there is “no evidence” that any of its users’ private information was compromised in a breach of its internal computer systems discovered Thursday. All of the company’s products, including its ride-hail and Uber Eats food delivery services, are currently “operational,” and law enforcement has been notified, Uber said in a statement this afternoon.

The hack forced the company to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform. Uber is continuing to investigate how a hacker, who claims to be an 18-year-old, was able to gain administrator access to the company’s internal tools.

Those internal software tools were taken offline yesterday afternoon as “a precaution” and started to come back online earlier today, the company says.

The hacker announced themselves to Uber’s employees by posting a message on the company’s internal Slack system. “I announce I am a hacker and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The alleged hacker then listed confidential company information they said they’d accessed and posted a hashtag saying that Uber underpays its drivers. 

The alleged hacker, who spoke to a reporter with The New York Times, claims to have received a password allowing access to Uber’s systems from an employee of the company whom he tricked by posing as a corporate IT official — a technique known as social engineering.

The company isn’t advising its users to make any proactive changes to their accounts at this time

Security experts consulted by the Times said the hack appeared to be a “total compromise” of Uber’s systems. But the company isn’t advising its users to make any proactive changes to their accounts at this time, like changing passwords, a spokesperson said.

This isn’t the first time Uber has fallen victim to hackers. The company was the target of a massive cybersecurity attack that took place in October 2016, exposing the confidential data of 57 million customers and drivers. Uber recently admitted to covering up the hack as part of a settlement with the US Department of Justice to avoid criminal prosecution.

Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key, which they then used to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 driver’s license numbers. 

Joe Sullivan, Uber’s chief security officer at the time, was complicit in the cover-up and was later charged with obstruction of justice for trying to hide a data breach from the Federal Trade Commission and Uber management. Uber CEO Dara Khosrowshahi just took the stand in his trial, which started earlier this month.