Why Uber’s ‘No Evidence’ Claim of Stolen User Data Is PR Bullshit
On September 15th, 2022, Uber was hacked through a successful social engineering attempt followed by a privilege escalation attack on an internal network. For a full understanding of what happened and the actions you need to take to protect your data, read “Uber Was Hacked. Here’s What Happened”.
Uber has released an official security update at 10:30 PST on September 16th, 2022 regarding the breach that allowed a hacker to gain access to every Uber computer system. Now, Uber is claiming that there is “no evidence that the incident involved access to sensitive user data)”. This claim is likely to be public relations bullshit, for a number of reasons.
Where Is The Evidence?
It’s well known that the hacker has shared many photos with popular security researchers via Telegram; who have then posted to Twitter. To be specific, there are numerous photos of a number of Uber services being breached including OneLogin (Single Sign-On), Thycotic (Privileged Access Management), Slack (Communication), VMWare vSphere (Virtual Computing), SentinelOne (Endpoint Security Detection), Amazon Web Services, Google Suite, and more.
Uber makes the claim that no sensitive user data has been accessed. However, we can analyze a few public screenshots to see that this claim is LIKELY FALSE. The first and most obvious screenshot that indicates that user data was compromised involves an Amazon Web Services Identity and Access Management Console (AWS IAM). As a reminder, this service controls the permissions that people and applications are granted to each service. In this screenshot, we can clearly see that the hacker has downloaded images, an archive file, and taken screenshots of multiple pages.
Confused at what you’re looking at? Let’s explain. Amazon Web Services provides on-demand cloud computing platforms and APIs to individuals, companies, and governments. In other words, AWS provides people with the ability to use virtual computers — as opposed to physical computers — in order to run their operations. There are many AWS services with the most popular services being EC2 Instances (Elastic Compute Cloud) and Amazon S3 (Simple Storage Service). Other popular services include their database services such as RDS (Managed Relation Database Service), DynamoDB (Query Based Database), and other databases where user data would be stored.
What Do These Services Do?
The EC2 service functions as a virtualized computer in a similar manner to the way you use your computer. Developers are able to load and run programs on these instances for a metered price, and change the amount of computing power that the computer uses on a whim. Uber likely uses these services to run a number of applications that provide the Uber App functionality. The S3 service functions as a cloud storage in a similar manner to Google Drive. Instead of your file system being on a local physical computer, cloud storage allows you to store files on a virtualized computer and access them. This has many benefits that this article won’t cover.
How Could User Data Be Compromised?
It’s likely that Uber uses AWS for other services (with proof on Github), which is where the pushback to the claim that no user data has been compromised lies. If the hacker were to access a database service, they could easily get ahold of a backup that contains the data for whichever application the database pertains to. This is more likely to be the case even if Uber doesn’t use AWS to manage its databases because the hacker gained access to EVERY Uber system.
In “Uber Was Hacked. Here’s What Happened”, we explore the possibility for important user data to be uncompromised even if the hacker gains access to the database (due to salting). However, it’s unlikely for “unimportant” data — such as trip history — to be salted because salting has a cost and is typically only done with important data (i.e passwords and financial data). The fact that the hacker gained access to EVERY Uber system grants the possibility that even Uber’s salted data is compromised.
One can argue that the screenshots above do NOT show evidence that user data was compromised, because it does NOT show user data. In other words, the screenshot shows that the hacker has access to Uber’s AWS Console; in addition to services that might contain user data; in addition to downloads that might contain user data. However, since there is no user data present in the screenshot — or any indication that the downloads are explicitly linked to user data — Uber can claim that there is no evidence user data has been compromised.
Do you believe that Uber’s claim is justified? Let us know.
Uber Is Operational
Uber’s services including Uber, Uber Eats, Uber Freight, and the Uber Driver application are operational. However, this does NOT mean that everything has been secured. In many cases, breaches such as these can go unnoticed because all systems operate without issue; while hackers still snoop in the background. Uber has contacted law enforcement agencies, which is ironic as Uber Lobbied and Used ‘Stealth’ Tech To Block Scrutiny in the past. Only time will whether the company worth $63.2 BILLION and its over 100 MILLION Users remain safe.