Uber data is out again. This time, an incident at a third-party vendor caused it. The person who posted the leaked data on the dark web claimed to be associated with Lapsus$. Coincidentally, this is the gang Uber blamed for the data breach in September 2022.
Uber data popped up at the dark web marketplace Breached Forums on December 10, when a user posted a dump of 20 million records, which the user claimed was Uber’s internal data.
77,000 Uber employee PII out
“Hacked by autistic fisherman Arion and scammed all LAPSUS$ members,” said the post under the username “UberLeak.” No other update linking the attempt to Lapsus$ or any other hacker/ransomware groups has come up since December 10.
The information was made available to all forum users without charge rather than being placed up for sale. The forum administrator also participated in the conversation, which is usually a sign that the listing is trustworthy.
Researchers who analysed the information in the shared archive found several spreadsheets with asset data and other sensitive information, including the accounts and personally identifiable information of around 77,000 Uber employees.
On the same day, another thread shared an archive with what appeared to be source code, API information, web app data, and more.
Uber confirmed the data breach and attributed it to a hacking attempt on a third-party vendor Teqtivity.
Attack confirmed, investigation on
“We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter,” read Uber’s joint statement to several news outlets.
Teqtivity also confirmed that the data was compromised due to an “unauthorized access” of their systems by a “malicious third party”.
“The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers,” read a stamen from the company.
Teqtivity has hired a “third-party forensics firm” to go through all logs and server configurations, while another “third-party security team” will conduct a penetration test of the infrastructure.
“We have notified law enforcement officials. Our investigation is ongoing. However, we have notified affected customers of the incident and have taken steps to ensure the situation is contained and have prevented this type of event from happening again,” the statement read.
According to Teqtivity, information exposed includes mobile phone/computer details such as serial number and user information from names to work email and location details.
This is the second major data breach at Uber this year.
Back in September…
According to Uber, the hacker used social engineering to get access to a worker’s Slack account. An important password that gave the hacker access to Uber’s systems was obtained from the employee during the cyberattack on Uber. According to screenshots the hacker provided to security researchers, they had full access to the cloud-based platforms that Uber uses to store confidential consumer and financial data.
“An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” said the company disclosure.
“The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in,” it added.
The Uber statement attributed the attack to a hacker affiliated with the Lapsus$ hacking group.