Skip to main content

Uber's been hacked by an 18 year old, go figure

Hacker using a phone and pc while wearing a ski mask.
(Image credit: Getty- South_Agency)
Audio player loading…

It appears Uber has been hacked by an 18-year-old. As discovered Thursday, the hijacker managed to gain full admin access to the company's AWS, Duo, OneLogin, G Suite, VMware vSphere domain accounts, and more. They even bagged Uber's source code and have sent out screenshots to prove it.

Not a great time for Uber then. But what really gets me is how people are meant to have reacted when asked to stop interacting with the hacker on Slack—if you work in IT you might need to ask a friend to hold you back for this one.

According to The New York Times (opens in new tab), the person responsible for the Uber hack claims to have gained access simply by sending a text to an Uber employee pretending to be from the company's corporate IT team. The hacker, if we can even call them that, just persuaded the employee to send them their login credentials and, boom, full access granted.

Yuga Labs engineer Sam Curry posted on Twitter about the event, having spoken to the apparent hacker, who claims to be just 18 years old. They sent some pretty legitimate-looking screenshots of internal systems to prove their quarry.

Curry spoke to some Uber employees as to their experience: "At Uber, we got an 'URGENT' email from IT security saying to stop using Slack," one employee said. "Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message 'F*** you wankers'."

Another employee said that, "Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes."

See more

The Slack channel was finally taken offline after one message read "I announce I am a hacker and Uber has suffered a data breach." It also went on to list a bunch of systems they were claiming to have access to. What's really wild is that since there doesn't seem to be any rhyme or reason behind the attack "it seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” Curry jokes.

Ars Technica (opens in new tab) reports that this isn't the first time Uber has been involved in a data breach. Back in 2016 Uber allegedly failed to report a massive data breach in which 57 million customer and driver names, email and phone numbers were stolen. The company allegedly failed to report the incident to the Federal Trade Commission, instead opting to pay the hackers a $100,000 bug bounty so they would delete the data and sign an NDA, and out of embarrassment passing it all off as part of a security test.

That time, it resulted in one of Uber’s top security execs, Joe Sullivan, being fired, though his lawyers say he was made a scapegoat for the downfalls of other employees (opens in new tab)

Your next upgrade

(Image credit: Future)

Best CPU for gaming (opens in new tab): The top chips from Intel and AMD
Best gaming motherboard (opens in new tab): The right boards
Best graphics card (opens in new tab): Your perfect pixel-pusher awaits
Best SSD for gaming (opens in new tab): Get into the game ahead of the rest

The recent attack is currently under investigation with Uber's official Twitter account (opens in new tab) stating Thursday, "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

How people haven't figured out that giving your password out is a terrible idea by now, I'll never know. They call it social engineering, but attacks like this are so excruciatingly low effort, a title like that is frankly an insult to engineers. 

Bottom line? Please don't give your passwords out, even if someone claims to be from IT. That team should already have access to your account in case you forget your password. 

Katie Wickens
Hardware Writer

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been demystifying tech and science—rather sarcastically—for two years since. She can be found admiring AI advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. She's been heading the PCG Steam Deck content hike, while waiting patiently for her chance to upload her consciousness into the cloud.