Uber Was Hacked. Here’s What Happened.

SwitchUpCB, PhD
Published in
5 min readSep 16, 2022

Photo by Austin Distel on Unsplash

On Thursday, September 15th, 2022, Uber was hacked through a successful social engineering attempt followed by a privilege escalation attack on an internal network. Read this article for a full understanding of what happened and the actions you need to take to protect your data.

What Is Social Engineering?

Social engineering is the use of psychological manipulation to trick a user into giving away sensitive information. In this case, the hacker was able to convince an employee — through phishing or another type of social engineering attack and Multifactor Authentication Fatigue— to gain access to a single employee’s credentials. This gave the hacker access to Uber’s internal company network (by logging into the VPN using the employee’s credentials).

What Is a Privilege Escalation Attack?

A Privilege Escalation is a process where a hacker with limited access to a system (or network) increases their permissions and access to the system. Since the hacker was on Uber’s internal network (via VPN), it was able to snoop around files shared by other employees. One file was a PowerShell script — typically used to automate Windows Servers (Computers) — containing administrative credentials for the Thycotic service.

Thycotic is a privileged access management (PAM) system used to manage secrets (such as passwords). Unfortunately for Uber, the admin user the hacker gained access to was able to extract secrets (passwords) for ALL OF UBER’s SERVICES. In other words, the hacker logged in to Uber’s systems using this admin account and stole the passwords for their services. This includes an array of services including “DA, DUO, Onelogin, AWS [Amazon Web Services], and GSuite [Google Suite]”.

To put in perspective the magnitude of this breach, let’s explain what some of these services do. For one, OneLogin is an Identity and Access Management System (IAM) used to provide Single-Sign On functionality for Uber employees. As an example, SSO is used to allow an employee to use one set of credentials (username and password) to gain access to every application they use. Amazon Web Services (AWS) contains an IAM service that controls who has access to each (Uber) service. In other words, the hacker was able to do…