Skip to main content

Uber reportedly suffers major data breach — what you need to know

Uber
(Image credit: Photo Illustration by Omar Marques/SOPA Images/LightRocket via Getty Images)

Update: Uber hacker also claims responsibility for Rockstar's major GTA 6 leak.

If you’re one of the many people that uses Uber to get around, you might want to pay attention. The ride-share company has confirmed that it's investigating a possible breach, and it sounds like this one is a doozy.

According to the New York Times (opens in new tab), Uber discovered its computer network had been breached on Thursday. The breach reportedly compromised some of Uber’s internal systems, with the alleged perpetrator sending images of emails, cloud storage and code repositories to the Times and cybersecurity researchers.

The hacker made themselves known by infiltrating the Uber Slack channel, and sending out the message “I announce I am a hacker and Uber has suffered a data breach.” This was followed by a list of internal databases they claim to have accessed, a message saying Uber drivers should get higher pay. as well as posting an explicit photo on an internal employee information page.

Two anonymous Uber employees, who asked to remain anonymous, told the TImes that Uber is telling staff not to use the company's Slack channel. Meanwhile, other internal systems are said to be inaccessible.

What caused the alleged Uber data breach?

So how did this happen? Well, the person claiming responsibility has been pretty chatty about the whole deal.

The hacker told the New York Times that they sent a text message to an Uber worker, claiming to be a “corporate information technology person.” This led to them persuading the Uber employee in question to hand over the password needed to gain access to Uber’s internal VPN, which gave them access to the corporate network. 

The hacker also told Acronis CISO Kevin Reed (opens in new tab) (via ZDNET (opens in new tab)) that they were able to access “highly privileged credentials on network file shares,” giving them access to the now-compromised systems.

The hacker also claimed to be 18 years old and had been “working on his cybersecurity skills for several years”. Apparently he broke into Uber’s systems because of the company’s weak security — or in other words, because he could.

A 'total compromise'

Sam Curry, researcher from Yuga Labs, said that it looks like “a total compromise” and that the person responsible “pretty much [has] full access to Uber”. That includes access to the company source code, emails and other internal systems. Curry shared similar sentiments on Twitter (opens in new tab), but told the Times that “it seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.” 

Internal emails show an Uber executive telling employees that the breach is being investigated, but there’s no timeline on when full access will be restored. An Uber spokesperson told the Times they’re investigating the breach, and are in contact with law enforcement. 

This isn't the first time Uber has suffered a hack of this magnitude. Back in 2016 information from 57 million driver and rider accounts was stolen and held for ransom. Uber paid $100,00 in ransom money and actively covered up the incident until it was exposed a year later (opens in new tab) — something the company only officially admitted to in July (opens in new tab).

Joe Sullivan, the executive in charge of security, was fired as a result of the hack and is on trial for charges of obstruction of justice (opens in new tab) — on account of the hack not being disclosed to regulators.

How an Uber data breach could affect you

It’s not clear how much the hacker has access to, or what they intend to do with any information they acquire. Sam Curry could be right, and this is just a kid who managed to scam his way into the system to cause some havoc. However, even if that’s true, it doesn’t discount any malicious intent.

It’s also not entirely clear which systems they have access to, and what sort of information they contain. There’s not a whole lot that individual Uber users can do, but it is still worth changing your account password as a precaution. On top of that, if you have any accounts with the same password, change those too.

Ideally you'll want to choose something unique, because using the same password multiple times is just asking for trouble. If you have trouble remembering them all, check out our list of the best password managers, and our guide on how to create strong passwords to keep your data safe.

Tom Pritchard
Automotive Editor

Tom is the Tom's Guide's Automotive Editor, which means he can usually be found knee deep in stats the latest and best electric cars, or checking out some sort of driving gadget. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won’t let him buy the stuff he really needs online.