Uber said it believed the hacking group Lapsus$ was behind an attack last week that forced the company to temporarily shut down some internal systems, adding that the perpetrators gained access after obtaining an external contractor’s account credentials.
The attack is the latest on a large tech company tied to Lapsus$, a group described by cyber security researchers as a “loosely” held collective with roots in the UK and Brazil. Members have previously been blamed for embarrassing hacks on the likes of Microsoft, Samsung, Nvidia and Okta.
The gang was linked to another high-profile attack this weekend on video games developer Rockstar Games, in which footage from the unseen next instalment of the Grand Theft Auto series was leaked to a fan forum. Cyber security researchers noted strong similarities in the attack but said it was too soon to confirm a connection.
Uber first announced it had been breached Thursday evening. On Monday, the company confirmed that the intruder had gained “elevated permissions”, granting access to a number of internal systems and enterprise software used by employees.
Among those systems was Uber’s Slack channels, where the attacker sent a message alerting staff to the hack, saying: “I announce I am a hacker and Uber has suffered a data breach.” Some employees were redirected to a web page containing a lewd image.
The San Francisco-based ride-hailing company said its “public facing” systems were not affected and the databases it uses to store “sensitive” user data, such as bank details and trip history, were not violated. Nor had the attacker altered the software code underlying its app and services, Uber said.
Uber said it was “likely” that a hacker affiliated with Lapsus$ purchased the contractor’s password on the dark web.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
Lapsus$ rose to prominence at the end of last year, said Claire Tills of cyber security group Tenable. London police said in March that they had arrested seven people connected with the gang, aged between 16 and 21 years old.
Tills noted the group has described itself as not being “politically motivated or state-sponsored” and instead driven by a quest for notoriety. A Tenable research report released this year said the group was “brazen, unsophisticated and illogical”.
That pattern appeared evident on Sunday, when a user on a web forum for Grand Theft Auto claiming to be the person who hacked Uber days before posted 90 leaked videos and images from Grand Theft Auto 6. A follow-up message suggested that the hackers would “negotiate” with the company to prevent the release of more footage.
Rockstar on Monday confirmed the footage was genuine and that it had been a victim of a “network intrusion”.
“Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations,” the company wrote on Twitter.
Shares in Rockstar’s parent company Take-Two Interactive were down at the onset of Monday’s trading but recovered by the end of the day. Uber’s stock has risen marginally over the past week.