Skip to main content

Uber blames Lapsus$ hacking group for security breach

Uber blames Lapsus$ hacking group for security breach

/

The hack occurred a few days before dozens of GTA VI videos were leaked

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

The Uber logo with a black and red graphic against a yellow background.
Illustration by Alex Castro / The Verge

Uber said that a hacker associated with the Lapsus$ hacking group was to blame for a breach of its internal systems last week, while reiterating that no customer or user data was compromised during the attack.

The hack, which was discovered last Thursday, forced the company to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform. 

It occurred a few days before video game maker Rockstar Games was also breached by a hacker who claims to be the same person who attacked Uber. Dozens of videos of the company’s unreleased Grand Theft Auto VI were leaked online. In its security update, Uber references the Rockstar Games hack but does not confirm it was the same attacker.

The company says it is in close contact with the FBI and US Justice Department as the investigation continues.

Uber confirmed that the hacker downloaded some internal Slack messages as well as information from an internal tool used by the company’s finance team to manage invoices. “We are currently analyzing those downloads,” the company said in a statement.

Lapsus$ is a hacking group known for waging a ransomware attack against the Brazilian Ministry of Health in December 2021, compromising the COVID-19 vaccination data of millions within the country. It’s also targeted a number of high-profile companies, stealing data from NvidiaSamsungMicrosoft, and Vodafone. London police arrested several members of the group earlier this year, all of whom were teenagers.

In its update on the breach, Uber confirmed new details about the hack. The company said the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s personal device had been infected with malware, exposing those credentials.

“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”

(Previously, the alleged hacker claimed to have received a password allowing access to Uber’s systems from an employee of the company, whom he tricked by posing as a corporate IT official — a technique known as social engineering.)

The hacker then accessed several other Uber employee accounts, gradually gaining more permissions to a number of internal company tools, including G Suite and Slack. The attacker then posted a message to a company-wide Slack channel and “reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” the company said.

The hacker ultimately announced themselves to Uber’s employees by posting a message on the company’s internal Slack system. “I announce I am a hacker and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The alleged hacker then listed confidential company information they said they’d accessed and posted a hashtag saying that Uber underpays its drivers. 

Uber said it responded by forcing employees and contractors who had their accounts compromised to change their passwords and restricting them from certain internal systems until they had done so. It also rotated keys — effectively resetting access — to many of Uber’s internal services. And it locked down its own codebase, preventing any new code changes — though it claims to have not detected any changes as of yet.

Uber also claims that sensitive customer data, including identifying personal information and financial data, is secure.

First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.

Uber says the hacker accessed the company’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities. “However, any bug reports the attacker was able to access have been remediated,” the company says.

In addition to law enforcement, Uber says it’s also working with “several leading digital forensics firms” as part of its ongoing investigation.

“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks,” the company said.

Today’s Storystream

Feed refreshed Two hours ago Dimorphos didn’t even see it coming

R
Twitter
Richard LawlerTwo hours ago
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


E
Twitter
Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther WangSep 26
E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
Youtube
Richard LawlerSep 26
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James VincentSep 26
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James VincentSep 26
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard LawlerSep 26
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.