Personal information of 77,000 Uber employees stolen in third-party vendor breach

Ride hailing giant Uber has suffered yet another data breach that has compromised its employees’ email addresses, corporate reports, and IT asset information.

A threat actor going by the name UberLeak recently leaked the stolen data on BreachForums, saying, “Hacked by autistic fisherman Arion and scammed all LAPSUS$ members.” The leaked data contains details of 77,000 Uber employees, numerous archived source code associated with the mobile device management platforms used by Uber, food delivery service Uber Eats and third-party vendor services. The leaked data, however, doesn’t contain any information of Uber’s customers.

Uber has pointed to IT asset management software company Teqtivity Inc. as the source of the security incident. An Uber spokesperson told Bleeping Computer that the stolen “files are related to an incident at a third-party vendor and are unrelated to our security incident in September.”

In a recent notice, Teqtivity said, “We are aware of customer data that was compromised due to unauthorised access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.”

The company has launched an investigation and notified the law enforcement about the cyber attack. The investigation revealed that device information including serial numbers, make, models, technical specifications and user information including names, work email addresses and work location details were exposed to and stolen by hackers.

“Teqtivity does not collect or retain personal information such as home address, banking information, or government identification numbers,” the company added.

In September this year, Uber suffered a significant cyber attack that forced it to take several internal systems offline. According to The New York Times, the threat actor who gained access to the internal network of Uber was an 18-year-old who used a social engineering technique to carry out the attack. The teenager reportedly led an Uber employee to believe that he was a member of the company’s IT team and persuaded him to give up a password that allowed him to gain access to Uber’s internal network.

After entering Uber’s internal network, the threat actor gained access to several apps used by the company, including the Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server. The threat actor even sent messages to other Uber employees, stating, “I announce I am a hacker and Uber has suffered a data breach.”

Commenting on the latest cyber incident affecting Uber, Raj Samani, SVP Chief Scientist at Rapid7, said, “Source code holds huge value to cyber criminals as it forms part of a company’s intellectual property. It can be used by threat actors to find security vulnerabilities (yet unknown) within an organisation’s product and can open the door to further cyberattacks. Therefore, source code being leaked onto a hacking forum is an extremely worrying prospect for Uber.

“It is crucial that organisations secure intellectual property such as source code, because it has been involved in 12% of data disclosures between April 2020 and February 2022. Businesses need multiple layers of defence which not only detect potential intrusion or lateral movement, but also security controls (such as file encryption) which protect them should threats remain undetected,” he added.