Uber Suffered a cybersecurity breach on Thursday, September 15. The company has acknowledged that an attacker was able to access internal systems, including Uber’s G Suite account and its HackerOne bug bounty dashboard.
A lot has already been written about this incident. But let’s remember that most initial information later turns out to be wrong or incomplete. Do not make decisions about your security options based on a single, not yet completely understood, incident.
While the Uber contractor’s account was protected by 2FA, the repeated login authorization prompts ultimately succeeded in an approval from the contractor. As tempting as it is to approve to “make it stop” it’s important to educate users to contact the security team when receiving unexpected or frequent access approval messages to ensure they are legitimate or that malfeasance is tracked. Note that Uber has taken several steps including not only re-authenticating their employee access to related tools, but also implementing stronger MFA authentication to mitigate the risks of recurrence. Uber reviewed their VDP dashboard and, at the time of the attack, no unmitigated vulnerabilities were listed. No sensitive data appears to have been accessed. Note that Uber encrypts sensitive data such as credit cards and personal health data.
A primary driver of this breach was stolen credentials, to include tricking an employee into approving a MFA request. While MFA can dramatically reduce the risk of password attacks, the problem is we have made MFA both confusing (there are multiple different implementations) and requiring different types / levels of human interaction. This is why I’m so excited about Apple’s new FIDO Passkey deployment in the latest iOS / MacOS: it takes the entire authentication process away from people and simplifies it through biometrics.
Read more in
Uber: Security update
Bleeping Computer: Uber links breach to Lapsus$ group, blames contractor for hack