Uber is investigating a breach of the company’s most sensitive data—including financial documents, internal messages, and who knows what else—by someone who told the New York Times they’re just 18 years old. The hacker posted screenshots of their alleged exploits on Telegram on Thursday and even announced the hack in Uber’s internal Slack channels that evening, leading some employees to apparently think it was a joke, according to the Washington Post.
The hacker allegedly compromised Uber’s systems by posing as someone from the company’s IT team and getting an employee’s password through text message, according to the Times, which described the hack as a “total compromise” of Uber. Screenshots of the alleged hack posted to Telegram show access to HackerOne, Amazon Web Services, vSphere, Google Workspace, and Uber financial data.
The hacker announced themself on Thursday by posting a photo of an erect penis on internal websites with the message “FUCK YOU DUMB WANKERS,” according to Fortune magazine, though it’s still not clear how long the hacker may have had access to Uber’s data. Just because the hacker announced themself on Thursday doesn’t mean they gained access that day.
The hacker’s message in Uber’s internal Slack channel shows people responding with emojis and makes clear why some employees must have thought it was a joke:
I announce i am a hacker and uber has suffered a data breach.
Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers.
Obviously it’s entirely possible the hacker or hackers aren’t actually just an 18-year-old doing it for the lulz, and this could be the work of a government or organized criminal organization. But if you wanted to look like an immature teen just pranking a big company, you’d definitely vandalize internal websites with a cock and say “fuck you dumb wankers.” That’s also what an authentic teen (presumably British) would say.
A spokesperson for Uber declined to comment on details of the hack overnight and would only say that they were “currently responding to a cybersecurity incident” and they were “in touch with law enforcement.” Uber said it would provide updates via its Uber Comms Twitter account, though that account hasn’t been updated since 9:25 p.m. ET on Thursday.
Uber suffered a ransomware attack back in 2016, with the sensitive information of 57 million users compromised, including driver’s license information, but the company kept it a secret for more than a year. The company paid $100,000 to the hackers and fired two executives after the incident.
If it does turn out the hacker is a lone wolf not affiliated with any nation-state and just 18 years old, the hack would follow in a long tradition of teen hackers who breached sensitive areas just because they could. But if it was really that easy to social engineer a hack that opened up seemingly endless doors into Uber’s back end, you know someone who can profit will be paying attention for next time. Because when it comes to hacking, there’s always a next time. Get your shit together, Uber.