Uber said on Thursday that it is responding to a cybersecurity incident after a hacker reportedly breached the raid-hailing company’s network and compromised a number of its internal systems.
“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available,” the company said in a statement on Twitter.
Uber did not provide further details regarding the cybersecurity incident, however, The New York Times, which first reported the incident, said that a hacker managed to gain access to the company’s office messaging app Slack and used it to post a message to Uber employees.
“I announce I am a hacker and uber has suffered a data breach,” the message reportedly read.
According to the publication, Uber promptly took several of its internal communications and engineering systems offline while it launched an investigation into the extent of the breach.
Screenshots of the incident obtained by The New York Times and The Washington Post showed the hacker claiming to have access to a number of Uber’s internal systems and corporate networks.
According to the Washington Post, the hacker was prompted to conduct a security breach due to Uber’s treatment of its drivers.
Uber’s labor practices have repeatedly come under fire; the company designates its drivers as “contractors”, meaning they are not entitled to increased worker’ rights, protections, and other benefits.
Simple Text Message
The individual claiming to be behind the security breach told The New York Times that they had simply sent a text message to an Uber worker pretending to be a corporate IT person and were promptly provided with a password that allowed them to gain wide-reaching access to Uber’s systems.
Rachel Tobac, the CEO of SocialProof Security, which helps train firm’s on how to defend against cyber criminals, wrote on Twitter that there has been a major increase in SMS phishing of late.
SMS phishing is one of the many methods used by scam artists to lure people into handing over their personal or financial information via text message or other mobile messaging services like WhatsApp.
“The person who claimed they just hacked Uber is saying their method was: – Send SMS phish to Uber worker as IT Support – Steal credentials – Access Slack & internal systems,” Tobac wrote.
The expert hacker added that there has been a rise in SMS-based phishing because it’s “working” and “becoming increasingly well documented by attackers, and there are now kits that make it easier to develop attacks to steal passwords and MFA codes.”
She added that a Fast Identity Online (FIDO) key, which uses things like fingerprint login and two-factor login to identify users, likely would have helped to prevent Uber’s latest incident.
The Epoch Times has contacted Uber for comment.
Meanwhile, California-based Slack told Reuters in a statement that it was investigating the breach but that it had not found any evidence suggesting a vulnerability to its platform.
“Uber is a valued customer, and we are here to help them if they need us,” Slack, which is owned by Salesforce Inc, said.