Was Sensitive User Data Stolen & Did 2FA Open Door To Hacker?

September 18 update below. This post was originally published on September 15

The New York Times is reporting that Uber has been hacked. Here’s what we know so far concerning this breaking story.

The ride-hailing and food delivery company has suffered a systems breach, according to the report, with employees unable to access internal tools such as Slack. One employee resource page is said to have had a not safe for work image posted to it by the hacker. A bug bounty hunter and security engineer not involved in the alleged hack has posted a comment that is attributed to an Uber employee, who wished to remain anonymous, which claims they were told to stop using Slack and “anytime I request a website, I am taken to a page with a pornographic image” and the message ‘f*** you wankers.’

Another bug bounty hunter has tweeted a screenshot, allegedly from the hacker, where they state, “I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen…” with a hashtag of #uberunderpaisdrives

What has Uber said about the hack?

I reached out to Uber for a comment and was pointed to an official statement posted to Twitter which reads: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

I have seen messages from someone who claims various Uber admin accounts are under their control. A New York Times reporter says that the hacker tells them he is 18 years old and hacked the Uber systems because “they had weak security.” He further claims this was accomplished through the social engineering of an Uber employee to obtain login credentials.

September 18 update

Uber still hasn’t had much to say publicly about the incident which appears to have allowed extensive access to internal systems. This is not all that surprising as investigations are ongoing. Most nearly all the evidence of the hack has come from the alleged hacker themselves, in the form of multiple postings and screenshots. However,…