Uber Technologies Inc., the popular ride-hailing company, has suffered yet another data breach after a threat actor released employee email addresses, IT asset information, and corporate reports online stolen from a third-party vendor.
The threat actor named “UberLeaks” on early Saturday morning leaked sensitive company information that claimed to have been stolen from Uber and Uber Eats and leaked on a hacking forum known as BreachForums.
This leaked data includes numerous archives claiming to be source code related to the mobile device management platforms (MDM) used by Uber, the company’s food delivery service Uber Eats and third-party vendor services.
Further, the threat actor created four separate topics for Uber MDM at uberhub.uberinternal.com, Uber Eats MDM, the third-party Teqtivity MDM, and TripActions MDM platforms, which are used by Uber.
Uber Confirms Data Breach
Uber confirmed its data was stolen in a breach on Teqtivity, which it uses for asset management and tracking services. The third-party company too said it was aware of the cybersecurity incident.
According to a Teqtivity data breach notification published on Monday, it states that customer data was compromised due to unauthorized access to its systems by a malicious third party. The threat actor was able to gain access to the Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.
The firm added that the data exposed included device information such as serial number, make, models, technical specs, as well as user information like first name, last name, work email address, and work location details.
Teqtivity stated that the investigation is going on and the company has retained a third-party forensics firm to investigate all logs and server configuration. It has also hired a third-party security team to start a penetration test of the infrastructure. Additionally, they have also notified law enforcement officials.
Teqtivity cleared that it does not collect or retain personal information such as home address, banking information, or government identification numbers.
“We sincerely apologize for any inconvenience this may cause and very much regret this situation has occurred. Your confidence in our ability to safeguard your company data and your peace of mind are very important to us,” it concluded.
TripActions in a statement to Techworm confirmed that they do not maintain an MDM.
Further TripActions stated that Following investigations by both TripActions and Teqtivity, it has been determined that no TripActions data was exposed as part of this security incident nor were TripActions customers impacted as part of this security incident. TripActions does not maintain an MDM. We will continue to monitor the situation.”
What’s interesting is that each of the four separate topics mentioned above refers to a member of the infamous hacking group, Lapsus$. For instance, a post on BreachForums reads, “Hacked by autistic fisherman Arion and scammed all LAPSUS$ members.” Other than the forum post, there is no indication of any link to the group.
This is the same hacking group that conducted a cyberattack on Uber this September where it was able to get access to the company’s internal network as well as its Slack server.
However, Uber clarified that the Lapsus$ group is not connected to the recent data breach and they have not noticed any malicious access to their internal systems.
While initially, the stolen data appeared to be from the September Uber breach, a spokesperson for Uber told BleepingComputer that it is related to a security breach on a third-party vendor.
“We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter,” said Carissa Simons, the Uber spokesperson.
Other than the internal code and Uber’s internal corporate information, no Uber customer data was stolen. However, the stolen information did include email addresses and Windows Active Directory information for over 77,000 Uber employees, according to one of the documents seen by BleepingComputer.
Given that the leaked data is now publicly accessible, it could be used by anyone to perform targeted phishing attacks on Uber employees to obtain more sensitive information, such as login credentials. This could lead to further major attacks that may be detrimental to Uber and its customers.
How To Stay Safe
All Uber employees are recommended to get in touch with IT admins and confirm all information before responding to any phishing emails mimicking Uber IT support. As far as Uber customers are concerned, they can change their Uber password to stay protected.
