Uber said Friday it was investigating a “cybersecurity incident,” declining to comment on reports a young hacker had gained access to the ride-hailing company’s computer network.
Uber put out word of the breach late Thursday in a tweet, and a hacker claiming to be 18 years old then posted screenshots taken from inside Uber computers.
“He says that he simply—having already determined a valid username and password—tricked an Uber staff member into granting him access to internal systems,” independent cybersecurity analyst Graham Cluley said at his website.
Online comments purported to be by the hacker indicated he targeted an Uber employee with notifications for more than an hour, then reached out to the worker via WhatsApp claiming to be member of the company’s tech support team.
“Many other companies are probably at risk of falling for a similar trick,” Cluley said.
Uber said Friday that its services were all operational and that it had “no evidence that the incident involved access to sensitive data” such as users’ trip history.
Employee software tools shut down as a precaution were being gradually restarted, the San Francisco based company added.
“There’s a reason cybersecurity experts say that the human is often the weakest link,” said Ray Kelly, a fellow at Synopsys Software Integrity Group in Silicon Valley.
“Whether it be phishing/SMS attacks or a simple phone call to get an employee to give up their credentials, ‘social engineering’ is going to be the easiest route for a malicious actor.”