Demystifying Uber Hack! Never Underestimate Social Engineering Skills of Attacker!

Clearly, this is what happens even if bug bounty platforms cannot prevent attacks by not paying ample amount of $$ to personal (TA) for their work!

As its, developing information, found out that the person behind this attack is of 18 years old (remember there is no age limit for threat actors/hackers) & ultimately, he doesn’t even know what exactly to do with the data that he had accessed to. Still, he found a way in, that is why it makes us feel vulnerable.

According to The New York Times, the threat actor responsible for the Uber hack claims to have gained access simply by sending a text to an Uber employee pretending to be from the company’s corporate IT team and compromised the employee’s account he used the employee’s existing VPN access to pivot to the intranet network and talking about internal network infrastructure they are often less configured and less protected and less audited compared to external infrastructure, that leaves many doors open.

TA appears to have made themselves known to Uber’s employees by posting a message on the company’s internal Slack system. “I announce I am a hacker and Uber has suffered a data breach,” screenshots of the message circulating on Twitter read. The claimed hacker then listed confidential company information they said they’d accessed and posted a hashtag saying that Uber underpays its drivers. Once the attacker compromised an employee, they appear to have used that victim’s existing VPN access to pivot to the internal network. the attacker appears to have found an internal network share that contained scripts with privileged credentials, giving them the keys to the kingdom. They claim to have compromised Uber’s Duo, OneLogin, AWS, and GSuite environments.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber’s slack indicate that these announcements were first met with memes and jokes as employees had not realized an actual cyberattack was taking place.

The attacker shared several screenshots of Uber’s internal environment, including their GDrive, VCenter, sales metrics, Slack, and even their EDR portal.

Uber’s AWS environment appears to be compromised as well. This screenshot of their IAM portal appears to show that the attacker has administrative access. If true, cloud access could not only include Uber’s websites, but other critical internal services as well.

The fact that the attackers appear to have compromised an IR team member’s account is worrisome. EDRs can bake in “backdoors” for IR, such as allowing IR teams to “shell into” employee machines (if enabled), potentially widening the attacker’s access.

Previous incidents:

  1. Uber hacked by teenager demanding higher pay for drivers.
  2. Lapsus$ Cyberattacks Traced to Teenager in England.
  3. Teen who hacked Bill Gates Twitter account sentenced.
  4. Teenage hackers breached T-Mobile, grabbed 30k repos.
  5. Scots ‘hacker’ could be extradited to America after manhunt.

Lessons Learnt:

  • Organizations should start using Phishing resistant MFA.
  • Awareness, and regular phishing tests of employees.
  • Centralizing authentication like SSOs can be a single point of entry for any attackers.

So, how do you prevent social engineering ?

You don’t. Stop trying. This is the basic principle of security… it’s a every day process.

You assume it will happen and put in technical safeguards to prevent or minimize impact, here is how:

  • Using phishing resistant MFA (FIDO, passkeys, etc.)
  • Do not save your credentials as plain text.
  • Investing in automation.
  • Ensuring least privilege.
  • Designing with an assumption of breach: How do we detect, contain, …? (Threat model).
  • Education is a key to minimizing possible attack surface’s against Social Engineering.
  • MFA providers should by default automatically lock accounts out temporarily when too many prompts are sent in a short period of time.

List of social engineering types of attacks

  • Phishing
  • Smishing
  • Vishing
  • Spam
  • Spam over instant messaging (SPIM)
  • Spear phishing
  • Dumpster diving
  • Shoulder surfing
  • Pharming
  • Tailgating
  • Eliciting information
  • Whaling

Need Help?

Please feel free to contact us, we’ll happy to assist you.


Tsaro labs were founded in 2017 and are operating in America, the Middle East, and India. As a company, we provide IT solutions and security against cyber threats. We have successfully made our way to secure top companies listed in the Forbes 100. We are proud to provide complete protection for your data to stay free from any cyber attack.

Get a Consultation

Discover the many ways to enhance your organization security posture with TSARO Labs
Select service*