Table of Contents
How did the Uber hack happen?Uber became aware of the breach when the hacker posted a message on the company-wide Slack channel and reconfigured their OpenDNS system to display an explicit image to employees on various internal sites. The attacker obtained the account credentials of a team member of Uber’s third-party contractor to gain initial access. The hacker then bypassed multi-factor authentication (MFA) by spamming the employee with approval request messages and eventually posing as someone from Uber’s IT team to gain access approval. Once inside the network, the attacker breached several other Uber personnel accounts and gained elevated permissions to various internal tools and systems. That is how the hacker could post messages on the company’s main Slack channel and manipulate internal sites.
How did Uber respond?Uber’s security team raced to shut down the compromised tools like Slack and G-Suite. They also identified potentially compromised employee accounts and blocked their access. Mandatory password changes were also instantly implemented for various employees. Other post-attack recovery and remediation measures taken by Uber till now are:
- Disabling affected and potentially affected internal tools
- Key-rotation for various internal services
- Codebase lockdown, which prevented any new or unauthorized code changes
- Mandated access re-authentication for internal systems
- Extra security and behavioral monitoring of their internal environment