A teen was allegedly the cybercriminal who breached the systems of Uber and Rockstar Games. The 18-year-old came forward to the New York Times to claim the two data breaches. According to an NYT report, the hacker pretended to be an IT worker for Uber and asked one of Uber’s employees for the password on the worker’s Slack account.
The method, known as social engineering, was used by the hacker to manipulate the targets into acting in a certain way regardless of special security measures put in place. The cyber-attacker sent images of emails, cloud storage and code repositories to the American daily to prove the claim of the breaches.
How the teen gained access
The teenage hacker stated that he had already determined a valid username and password to trick an Uber staff member into granting him access to internal systems, independent cybersecurity analyst Graham Cluley posted on his website. The teen managed to do so by sending several multi-factor authentication (MFA) notifications to Uber staff for over an hour.
After receiving several notifications, the staff granted access. Some online comments purported to be made by the hacker also point towards him communicating with the Uber employee on his WhatsApp number.
The hacker then scanned the company’s network and found the credentials of an admin account which helped him gain access to Uber’s internal systems. Following this, the hacker stole internal documents and publicly announced them on the company’s Slack by sending screenshots of its internal systems.
“Hi @here. I announce I am a hacker, and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 Monorepos from Phabricator have also been stolen, along with secrets from sneakers.#uberunderpaisdrives,” read the message sent by the teen hacker.
Uber asks its staff not to use Slack
Initially, Uber staff did not take the message seriously and responded with emojis as tweeted by the online malware database VX-Underground. However, later the company asked its employees not to use its internal slack messaging system.
When the individual breached Uber, they sent a slack notification to everyone informing them the company had been breached.
Employees thought it was a joke.
— vx-underground (@vxunderground) September 16, 2022
Uber clarified that its services were working, and no evidence was found to establish that sensitive data was breached.
The second data breach and leak
Rockstar Games was hacked days after the Uber data breach. The alleged 18-year-old claimed responsibility for the hacking and posted the Grand Theft Auto (GTA) 6 gameplay, which was in its early stages of development, as evidence.