Thea attack, which began late last week, caused Uber to suspend employee access to its internal systems, including Zoom, Slack and Gmail. The company has yet to explain how the hacker gained access, though a person purporting to be the hacker, who is allegedly an 18 year old, told The Wall Street Journal they tricked an Uber employee into revealing their password.

That password was then used to breach Uber’s systems including its internal corporate VPN. Information that could have been accessed by the hacker includes trip history and customer addresses.

“Hi @here,” the hacker wrote in a message on Uber’s internal Slack messaging channel. “I announce i am a hacker and uber has suffered a data breach.”

Paul Baird, chief technical security officer at IT security provider Qualys, said that the initial reports, if true, mean there have been multiple failures across Uber’s IT and cyber security defences.

“Hackers breaching corporate networks for ‘fun’ are some of the more dangerous adversaries to come across,” Mr Baird said.

“The initial attack vector of social engineering is still hard to defend against, especially when it came via an SMS, but seemingly not having multi-factory authentication on the corporate VPN and leaving a PowerShell script with access management creds on an intranet system, is unforgivable,” he said.

“As the only goal normally is to gain access to internal systems, cause havoc and steal data, there is very little Uber can do in minimising the impact of the breach. Whereas at least when you are dealing with bad actors that are financially incentivised, there is the possibility of paying a ransom to lessen the pain.”

Mr Baird said he was surprised that Uber’s internal security systems did not pick ‘east-west’ traffic while the hacker traversed its network looking for confidential company information and source code.

“Uber needs to learn from this breach, bolster their IT and cyber security education and awareness programs, have or extend MFA and run a sanitisation exercise of systems to make sure scripts and documents sitting on internal systems don’t carry keys to the kingdom.”

Uber last suffered a large breach in 2016, when data of 57 million accounts were compromised including names, email addresses and phone numbers. Around 7 million drivers were also affected. The company was later found to have concealed the breach for more than a year and reached a settlement in 2018 of $US148m ($220m), which was paid on compensation across several US states.

John Shier, senior security adviser at security provider Sophos, said the latest attack was a reminder for organisations to make sure they have the ability detect when attackers exploit or steal credentials.

“Persistent attackers can and will find a way around multi-factor authentication systems that rely solely on time-based one-time passwords or push-based authentication,” he said.

“The need for compartmentalised access to critical resources, strong authentication and detection of identity-based activity is an important part of an organisation’s layered defences.”

An Uber spokeswoman said in statement that the company has no evidence that the incident involved access to sensitive user data, like trip history.

While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident:

“All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational,” she said.

“As we shared yesterday, we have notified law enforcement.

“Internal software tools that we took down as a precaution yesterday are coming back online this morning.”

More related stories

Technology

Inside Apple, Amazon and Uber’s war on waste

The tech titans are the biggest buyers of solar and wind energy but that’s not enough to offset the rapid rise of data centres that power the AI boom. Here’s how they plan to stay green.

Read more

Technology

Is Dyson’s $1000 mop worth it?

The British consumer electronics giant has gone full circle with the release of the WashG1 – but is it enough to convince this tech editor to stop using a mop, bucket and broom?

Read more