Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

US-based Uber Technologies Inc. said the hacker responsible for a data breach reported last week is affiliated with a notorious extortion group named Lapsus$, news agency Bloomberg said on Tuesday. According to media reports, Lapsus$ is an international hacker group known for cyberattacks against various large tech firms. Bloomberg report stated that Lapsus$ has also targeted other technology firms, including Microsoft Corp., Cisco Systems Inc., Okta Inc. and Samsung Corp. this year.

Uber shut down some of its internal software and messaging systems on Thursday after an attacker infiltrated its network and sent employees messages warning that Uber had been hacked. “We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so,” a company spokesperson said in an announcement on Monday.

The ride-hailing platform also acknowledged unconfirmed reports over the weekend that the same perpetrator had breached video game publisher Rockstar Games, and said it was working with the FBI and the US Department of Justice to probe its breach.

Uber said it did not believe the attacker had gotten into its public-facing systems, such as user accounts or databases that store sensitive or financial information. They did not access any customer data stored by its cloud providers including Alphabet Inc.’s Google and Amazon Web Services, it added.

Uber said it was “likely” that the attacker bought an Uber contractor’s password on the dark web, after that contractor’s personal device had been infected with malware. The attacker managed to hijack the two-factor login approval by inundating the contractor with requests, which they eventually accepted.

From there, the intruder was able to get into several employee accounts and had security permissions for Uber’s G-Suite and Slack, among other internal tools.

Uber also discovered that the attacker downloaded internal Slack messages and an internal tool the finance team uses to manage some invoices.

All software vulnerability reports the attacker accessed through Uber’s HackerOne dashboard had already been remediated, alleviating concerns that the hacker had access to vulnerabilities in Uber’s code. HackerOne assists with Uber’s bug bounty program, which allows ethical hackers to search for flaws which could lead to breaches in return for payment, or bounty.