Uber blames security breach on Lapsus$, says they bought credentials on the dark web

The security breach that hit Uber last week was the work of Lapsus$, Uber said in a blog post Monday. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, Okta and others.  

Uber said it is in close coordination with the FBI and US Justice Department on the matter. 

While the attacker accessed several internal systems, Uber said it does not appear they infiltrated any public-facing systems, any user accounts, or databases that store sensitive user information like credit card numbers. Additionally, Uber said it it doesn't appear that the attacker accessed any customer or user data stored by its cloud providers. 

The hacker did download some internal messages, as well as information from an internal finance team. They also accessed Uber's dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated, Uber said. 

On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The attacker then reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites.

The attacker told the New York Times that they gained access to Uber's systems through a social engineering scheme: they sent a text message to an Uber employee claiming to be a corporate IT staffer, which persuaded the staff member to reveal a password. 

However, Uber clarified Monday that the hacker gained access using credentials from a third-party contractor. Furthermore, the company said it's “likely” that the Lapsus$ hacker obtained the contractor's Uber corporate password by purchasing it on the dark web, after the contractor's personal device had been infected with malware.

After that, Uber said, the hacker repeatedly tried to log into the contractor's Uber account but was stymied by a two-factor login approval request. However, the contractor eventually accepted one of those requests. From there, the attacker obtained elevated permissions to a number of internal tools, including G-Suite and Slack.