The Washington PostDemocracy Dies in Darkness

Uber suffers computer system breach, alerts authorities

The company said in a tweet it was “responding to a cybersecurity incident”

An Uber sign at the company's headquarters in San Francisco. (Jeff Chiu/AP)

SAN FRANCISCO — Uber’s computer systems were breached and the company has alerted authorities, the ride-hailing giant said Thursday.

The ride-hailing company said in a tweet that it was “responding to a cybersecurity incident.”

The hacker surfaced in a message posted in Slack, according to two people familiar with the matter, who spoke on the condition of anonymity because of the sensitive nature of the incident.

“I announce i am a hacker and uber has suffered a data breach,” the message said.

The anatomy of a hack

It was followed by a flurry of reaction emoji, including several dozen showing what appeared to be a siren symbols. Because of the hack, the people said, some systems including Slack and internal tools were temporarily disabled.

Internal screenshots obtained by The Washington Post showed the hacker claiming to have wide-ranging access inside Uber’s corporate networks and appeared to indicate the hacker was motivated by the company’s treatment of its drivers. The person claimed to have taken data from common software used by Uber employees to write new programs.

Uber pointed to its tweeted statement when asked for comment on the matter. In an update Friday, the company said its investigation was ongoing, and services such as Uber and Uber Eats — and the company’s driver app — were working. It said the software tools that Uber disabled “as a precaution” were coming back online.

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company wrote.

An internal outage report Thursday viewed by The Post said riders and food delivery customers had been unable to request rides or place orders in locations including Atlanta, Ga. and Brisbane, Australia, though it said the issue was later “mitigated.”

Uber waits a year to report massive hack of customer data

The New York Times first reported the breach.

Uber previously suffered a breach in 2016 that exposed personal information of 57 million people around the world, including names, email addresses and phone numbers. It also included drivers license info from roughly 600,000 U.S. drivers. Two individuals accessed the information via “a third-party cloud-based service” used by Uber at the time.

Uber, which is based in San Francisco, employs thousands of people globally who may have been affected by the hacker’s obstruction of systems. The company has also come under fire for its treatment of drivers, who it has fought to keep as contractors.

The hacker posted as Uber on a chat function at HackerOne, which runs interference between researchers who are reporting security vulnerabilities and the companies who are affected by them. Uber and other companies use that service to manage reports of security flaws in its programs and to reward researchers who find them.

In that chat, which was viewed by The Post, the alleged hacker claimed access to Uber’s Amazon Web Services account.

What to do if you’re hacked

AWS did not immediately respond to a request for comment. (Amazon founder Jeff Bezos owns The Post.)

In a subsequent interview on a messaging app, the alleged hacker told The Post that they had breached the company for fun and might leak source code “in a few months.”

The person described Uber security as “awful.”

Peiter “Mudge” Zatko’s journey from hacker to Twitter whistleblower

Security experts said the screenshots included proof that the hacker had access to highly privileged security accounts, which would provide wide authority inside the company.

They also said that the company appeared to have blundered by including passwords in programs used for accessing key outside resources, such as Amazon Web Services, so the hacker did not need to break into more exclusive internal accounts or try to guess. Asked about any concern of arrest, the alleged hacker told The Post via a Telegram account they were not worried because they lived outside the United States.

Uber employees were caught off guard by the sudden disruption to their workday, and some initially reacted to the alarming messages as if they were a joke, according to the screenshots.

The hacker’s ominous posts were met with reactions apparently depicting the SpongeBob character Mr. Krabs, the popular “It’s Happening” GIF and queries as to whether the situation was a prank.

“Sorry to be a stick in the mud, but I think IT would appreciate less memes while they handle the breach,” one message viewed by The Post said.