.png "back to home page")
ハッカーがUber社員のSlackアカウント経由で内部システムにハッキングしたとNew York TimesとWashington Postが報道。UberのAWSとGoogle Cloudもハックされ、内部財務データにアクセスされた可能性。Uberは警察に通報して調査中だと発表。
— 今村咲 (@saki_imamura) September 16, 2022
UBERは3.62%下落。https://t.co/C6k5AWwFox
In one Slack message, the hacker is said to have written: "I announce I am a hacker and Uber has suffered a data breach." https://t.co/Vv4HdSUVDO
— Ryan Browne (@Ryan_Browne_) September 16, 2022
Uber investigates 'cybersecurity incident' after reports of a hack on the company https://t.co/k0QZGfl2pd
— CNBC (@CNBC) September 16, 2022
"Uber employees on Thursday discovered that huge swaths of their internal network had been hacked by someone who announced the feat on the company Slack channel": https://t.co/B68vKzxqkx #ethics #internet #cybersec #tech
— Internet Ethics (@IEthics) September 16, 2022
"Many organizations believe they are too smart to fall for phishing attacks. They prefer the ease of authenticator apps vs FIDO2 MFA, which requires the possession of a phone or physical key. Breaches will remain a fact of life until this mindset changes." https://t.co/x6z49G8SX6
— Jeff Atwood (@codinghorror) September 16, 2022
Uber was breached to its core, purportedly by an 18-year-old. Here are the basics https://t.co/4pzYH7VJwM
— Ken Westin (@kwestin) September 16, 2022
Update: a person claiming responsibility for the Uber hack tells the NYT that he is 18, got in through social engineering an employee’s password, and hacked the company because it had weak security. https://t.co/h3k7H9lpSo pic.twitter.com/TZ8aDrNyQQ
— Kevin Roose (@kevinroose) September 16, 2022
Breaking from me and @kateconger: Uber was hacked today, and employees can’t access Slack and other internal tools. The hacker also posted a NSFW photo on an employee resource page. Developing… https://t.co/h3k7H9lpSo
— Kevin Roose (@kevinroose) September 16, 2022
Seeing a major increase in SMS phishing. The person who claimed they just hacked Uber is saying their method was:
— Rachel Tobac (@RachelTobac) September 16, 2022
- Send SMS phish to Uber worker as IT Support
- Steal credentials
- Access Slack & internal systems
Thanks for chatting @kateconger @nytimeshttps://t.co/qS1A1u37DN pic.twitter.com/DYd9BmA9mO
Uber Investigating Breach of Its Computer Systems https://t.co/GF25TxeqNK
— nixCraft (@nixcraft) September 16, 2022
Oh boy:#UberHack
— ChildrenOfAristotle (@AristotlesChild) September 16, 2022
https://t.co/f8VaOVPGsY
New: Uber was hacked today https://t.co/3quggcrIeX
— kate conger (@kateconger) September 16, 2022
RIP to everyone’s weekend at Uber.
— Kylie Robison (@kyliebytes) September 16, 2022
“Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read: ‘I announce I am a hacker and Uber has suffered a data breach.’” https://t.co/Vxb9WA4wTT
https://t.co/yoG5yfsgI3
— Marshie (@MarshiePup) September 16, 2022
Currently under investigation.
I can’t dunk on this. I know a lot of people will, but I can’t. I was raised in newsrooms, which is second only to LE for gallows humor. But lol at being told to stop. https://t.co/RwDFqnQvNl
— Christina Warren (@film_girl) September 16, 2022
Big scoop from @kateconger and @kevinroose — Uber’s internal network was breached Thursday and employees have been told to stay off Slack. Developing situation: https://t.co/OT3QkHJXpT
— Kellen Browning (@Kellen_Browning) September 16, 2022
This is a major deal if true --> not only have Uber's systems been compromised, but the company will remained compromised until it fixes all of their known vulnerabilities. In other words, the odds of hacker reentry are extremely high and will remain so for the foreseeable future
— Spencer Dailey (@SpencerDailey) September 16, 2022
Props for going @ here vs. @ channel. That counts for something. https://t.co/eopCvj5q3i
— Alex Kantrowitz (@Kantrowitz) September 16, 2022
The Uber hacker reportedly posted a message in the company's internal Slack, and employees thought it was joke and reacted with 🍿 and 🚨 emoji and GIFs on the post https://t.co/cu78ebPjya
— Tom Warren (@tomwarren) September 16, 2022
“‘They pretty much have full access to Uber,’ said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. ‘This is a total compromise, from what it looks like.’” https://t.co/cLHlqQUEgh
— Dan Goodin (@dangoodin001) September 16, 2022
Second time in a week that I have heard of hardcoded PAM secrets giving an opportunistic attacker *all the access* to a global corp.
— Rik Ferguson (@rik_ferguson) September 16, 2022
Technology is wholly dependent upon proper implementation and process. It’s easy to point fingers at a product, but often wrong. https://t.co/ZWHYIfH0ZQ
Fido 2FA for all pls. https://t.co/WYSj523Fio
— Whitney Merrill (@wbm312) September 16, 2022
I can't wait for them to have a fleet of driverless cars because clearly there's no large scale risk of that ending badly https://t.co/KrmTH18UA2
— Evan Sutton (@3vanSutton) September 16, 2022
"In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay."
— Roy E. Bahat (@roybahat) September 16, 2022
Curious what motivated the hacker to choose to crusade for that... https://t.co/HZGTBoXAhb
Just dropping this here…. employees seemingly still don’t have access. Yay for long weekends? https://t.co/QkKWEtLuj0
— Kylie Robison (@kyliebytes) September 16, 2022
An Uber employee told Fortune that when they open their work laptop, all internal websites displayed a picture of an “erect penis” with the text “FUCK YOU DUMB WANKERS.” https://t.co/AGCtjynjY5
— Kylie Robison (@kyliebytes) September 16, 2022
old enough to remember three days ago when twitter was the only tech company with bad security https://t.co/PBPS5cKhgD pic.twitter.com/UZE1YaXQKY
— Will Oremus (@WillOremus) September 16, 2022
Guess they can’t hide this one from the FTC 😬 https://t.co/ybOfS3nHkG
— Whitney Merrill (@wbm312) September 16, 2022
Cybersecurity truths:
— Tiffany C. Li (@tiffanycli) September 16, 2022
1. No system is perfectly secure.
2. The more data you store, the more data you risk.
Good thing the only sensitive personal data Uber has are financial info, contact info, and also the records of everywhere every user has ever traveled at any time. https://t.co/bVRVa7GPbd
Pour one out for the security response team at Uber.
— Katie🌻Moussouris (she/her) (@k8em0) September 16, 2022
Hardcoded secrets in a powershell script got them powershellacked.
Good practice is to assume intruders will seek out your internal scripts & do not leave secrets hard coded to help them elevate privilege & pivot like this. https://t.co/Vy0gPU04Zc
NEW: One of the biggest takeaways of the Uber hack is that 2FA via push notifications is flawed and relatively easy to circumvent.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) September 16, 2022
"They can become so annoying that the target eventually accepts,” @RachelTobac told us. https://t.co/JYkDwd9iHw
I'll just use my username and password in this script that needs admin rights, what could possibly go wrong https://t.co/dDRNROdkxD
— Laurent Bercot (@laurentbercot) September 16, 2022
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE
— Sam Curry (@samwcyo) September 16, 2022
“Doesn’t know what to do with it and is having the time of his life”
— Daniel Cuthbert (@dcuthbert) September 16, 2022
Aaaaand there’s my teenage years eloquently portrayed. https://t.co/VRunNt2iWJ
The amount of shitposting and emojis is pretty hilarious. https://t.co/IBBCauOjCJ
— DreamLANsec (@da_667) September 16, 2022
As employee reactions poured in, including a Mr. Krabs meme, the "It's Happening" GIF and questions about whether it was a prank, someone wrote. “Sorry to be a stick in the mud, but I think IT would appreciate less memes while they handle the breach” https://t.co/Yr3Lak0TdZ
— Faiz Siddiqui (@faizsays) September 16, 2022
This is the worst case scenario we all try to prepare for, but no one believes will happen or is possible… https://t.co/TJJfeb2sMK
— Whitney Merrill (@wbm312) September 16, 2022
This is so savage. A hacker broke into Uber's Bug Bounty program and stole all the vulnerability reports ...so they can hack it over and over until everything is fixed. Galaxy brain attack. https://t.co/skMNInaTUp pic.twitter.com/Tk0rv9knAM
— Josh Constine 📶🔥 (@JoshConstine) September 16, 2022
The kids these days... https://t.co/nuGAUdQh74
— Mike Masnick (@mmasnick) September 16, 2022
Uber has had their entire infrastructure (cloud, financial, comms, dev, etc) hacked by a kid purporting to be a teenager – breach appears to be very severe. https://t.co/2KSml7GKHZ
— LeGate☮️ | pillow-fight.com CMO (@williamlegate) September 16, 2022
The Uber breach, which the hacker says began with social engineering of an employee, may be so thorough that it will be hard to kick the intruder out, experts said overnight. https://t.co/XptJqv2i38
— Joseph Menn (@josephmenn) September 16, 2022
If this screen shot is to be believed, the hacker who broke into Uber spammed the company's slack with a message about underpaid drivers.... https://t.co/MZ6Ee2iaHA
— Avi Asher-Schapiro (@AASchapiro) September 16, 2022
“.. The hacker provided .. screenshots that appeared to show widespread access to a range of administrative accounts that manage Uber’s technology systems, including the company’s Amazon Web Services and Google clouds ..”
— Carl Quintanilla (@carlquintanilla) September 16, 2022
@WSJ $UBER https://t.co/wiH0iUMw9s
Apparently there was an internal network share that contained powershell scripts...
— Corben Leo (@hacker_) September 16, 2022
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW
The uber hack seems nightmarishly bad. And pretty depressing that the way around MFA is just spamming the victim until they give up and just allow themselves to be hacked. https://t.co/pdX803Vjcp
— Tom Dotan (@cityofthetown) September 16, 2022
— Uber Comms (@Uber_Comms) September 16, 2022
From another Uber employee:
— Sam Curry (@samwcyo) September 16, 2022
Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. lmao
If Uber didn't use computers then this would have never happened.
— Ken Westin (@kwestin) September 16, 2022
And on the 27th anniversary of the movie Hackers too. https://t.co/jXSBWswR4z pic.twitter.com/f5iITJILMj
— Whitney Merrill (@wbm312) September 16, 2022
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
Some new information since last night. The attacker claims that they were able to gain persistent MFA access to their compromised accounts by social engineering the victims into accepting a prompt that allowed the attacker to register their own device for MFA. 15/N pic.twitter.com/V9rrD8AW3B
— Bill Demirkapi (@BillDemirkapi) September 16, 2022
Honestly kind of a classy way to hack someone 😂😂😂@Uber pic.twitter.com/fFUA5xb3wv
— Colton (@ColtonSeal) September 16, 2022
Uber has been hacked, and it looks bad. The hacker got in through social engineering and allegedly found a network share full of Microsoft PowerShell scripts that included Uber admin usernames and passwords to let them breach AWS, G Suite, and more 🥲 https://t.co/PUvw8lHzyw
— Tom Warren (@tomwarren) September 16, 2022
Update: We spoke to the person who claimed responsibility for the hack. He says he is 18. https://t.co/YPoh0U1FDI
— kate conger (@kateconger) September 16, 2022
NEW: An employee at Uber described scenes of chaos on Thursday night as the ride-hailing company’s computer systems were commandeered in a devastating hack that buffeted staffers with obscene images.
— Kylie Robison (@kyliebytes) September 16, 2022
I wrote about inside the mayhem for @FortuneMagazine:https://t.co/AGCtjynjY5
Uber employees are being barraged with obscene images in a major hack, and they’re worried their financial data may have been compromised https://t.co/exnPgeKNS7
— Alexei Oreskovic (@lexnfx) September 16, 2022
Uber said it was responding to a cybersecurity incident following reports the company had taken several internal communications and engineering systems offline after staff had been contacted by a hacker (@AlexMartin) https://t.co/wDU0y6gtp8
— The Record by Recorded Future (@TheRecord_Media) September 16, 2022
Uber breached by hacker in cybersecurity incident - The Washington Post @ABC7NY @NBCNews @CBSNews @CNBC @nytimes https://t.co/920VBjIAiP
— ReggieVaitz (@ReggieVaitz) September 16, 2022
old enough to remember three days ago when twitter was the only tech company with bad security https://t.co/PBPS5cKhgD pic.twitter.com/UZE1YaXQKY
— Will Oremus (@WillOremus) September 16, 2022
New: Uber suffers internal breach, alerts authorities. The hacker announced themselves through a message posted to Slack, ppl familiar said, and then several systems including Slack went down. NYT first to report https://t.co/Yr3Lak0TdZ
— Faiz Siddiqui (@faizsays) September 16, 2022
This is so savage. A hacker broke into Uber's Bug Bounty program and stole all the vulnerability reports ...so they can hack it over and over until everything is fixed. Galaxy brain attack. https://t.co/skMNInaTUp pic.twitter.com/Tk0rv9knAM
— Josh Constine 📶🔥 (@JoshConstine) September 16, 2022
「Uber がハッキングされ、内部システムが侵害され、脆弱性レポートが盗まれた」https://t.co/iuV4q14tmg
— キタきつね (@foxbook) September 16, 2022
Uber hacked, internal systems breached and vulnerability reports stolen https://t.co/mKR0nOMKj1
— Nicolas Krassas (@Dinosn) September 16, 2022
Uber hacked, internal systems breached and vulnerability reports stolenhttps://t.co/Q5Bh0LiIZX
— Avoid The Hack! (@avoidthehack) September 16, 2022
Uber hacked, internal systems breached and vulnerability reports stolen https://t.co/WHA7CBNEbq
— /r/netsec (@_r_netsec) September 16, 2022
Uber hacked, internal systems breached and vulnerability reports stolen https://t.co/yaHJiytsid
— The Cyber Security Hub™ (@TheCyberSecHub) September 16, 2022