back to article Uber explains how it was pwned this month, points finger at Lapsus$ gang

Uber, four days after suffering a substantial cybersecurity breach, has admitted its attacker accessed "several internal systems" including the corporation's G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage "some" invoices. The rideshare and food-delivery app believes …

  1. Anonymous Coward
    Anonymous Coward

    That's another Slack hack then?

    Wasn't the GTA breach done via Slack as well?

    1. A Non e-mouse Silver badge

      Re: That's another Slack hack then?

      Either you forgot that A/Cs can't use the joke icon or you failed to read the article.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's another Slack hack then?

        Both? Those are not mutually exclusive options :).

  2. Cheshire Cat

    Denying an MFA request

    Explicitly denying an MFA request should blacklist the login IP for a set time (maybe 4h or a day). That would do a lot towards stopping this sort of thing.

    1. Malcolm 5

      Re: Denying an MFA request

      I see the argument, however am I really the only one to have hit the wrong button occasional (e.g. when the MFA app swaps the buttons around)

      1. Tom Paine
        Facepalm

        Re: Denying an MFA request

        I'm a bit out of the loop, but are these MFA systems just "someone tried to login to your account, wax if you? [Y/N]" if so, serves em right for believing vendor BS -- or just not caring. Even a 6 digit code sent by SMS would be more secure than Y / N.

        1. Anonymous Coward
          Anonymous Coward

          Re: Denying an MFA request

          I'm not sure how it would go about waxing a hacker, but I hope it's a properly hairy one when it does.

          :)

        2. Michael Wojcik Silver badge

          Re: Denying an MFA request

          Even a 6 digit code sent by SMS would be more secure than Y / N.

          That's a very dubious claim, given the multitude of security failings in SMS – such as the fact that many users allow their phones to display SMS messages while locked.

      2. Michael Wojcik Silver badge

        Re: Denying an MFA request

        MFA systems already tend to have poor usability (in part because of the many types of MFA in use) and bad failure modes. I'm not eager to see yet another failure mode added.

        MFA has helped mitigate attacks around passwords, which are terrible authenticators. Unfortunately it's done that by introducing another terrible authenticator. (And most attempts to address that problem are similarly flawed, like Apple's FIDO integration in its OSes, which wraps MFA in biometrics, which are a terrible authenticator.)

        1. Missing Semicolon Silver badge

          Re: Denying an MFA request

          The problem with these convenient MFA systems, where you just press OK to continue on the app,is that there is no feedback to the logon page. So spamming the user works. Why don't they all use authenticator apps, where you have to type in a code?

  3. Anonymous Coward
    FAIL

    PR Checklist

    1 - A limited breach may have occurred but we have no evidence that any records were extracted. (complete)

    2 - We have fixed the problems and are working with law enforcement to identify the perpetrators. (complete)

    3 - There may have been some records extracted and we are working to determine how many and what sort of records. ( within the week)

    4 - It's 2016 all over again. Sorry about that. Our thoughts and prayers go out to you. (as soon as it hits the dark web)

    1. Kevin McMurtrie Silver badge

      Re: PR Checklist

      5. Security has always been our top priority. This was the result of an extremely sophisticated attack force sponsored by hostile a nation.

      1. Alumoi Silver badge
        Joke

        Re: PR Checklist

        No, no, no, it's 'state sponsored (bad) actor', get your terms right. Where's your bullshit bingo card?

        1. Tom Paine

          Re: PR Checklist

          Ta-da! Matt Blaze ftw.

          https://www.mattblaze.org/bingo/pr

      2. This post has been deleted by its author

  4. Henry Wertz 1 Gold badge

    MFA

    Yeah, outlook aside (which has apparently malfunctioned once or twice where it started spamming people with requests...) if you get spammed with MFA requests it probably means someone is trying to break in to your account and the best thing to do is change your password (and account name if possible),

    1. MachDiamond Silver badge

      Re: MFA

      " if you get spammed with MFA requests it probably means someone is trying to break in to your account and the best thing to do is change your password (and account name if possible),"

      Why? If you are getting bunches of notices, how would changing your password do anything? Obviously, they don't have your passwords or they'd be into your account already and you'd never be the wiser unless you can look at the logs. The best thing to do is contact the admin and have them look into the attack. In the mean time, you might want to log in and lock out what you can.

      1. Anonymous Coward
        Anonymous Coward

        Re: MFA

        The problem is attempt timeout. Sometimes it's not about gaining access, but simply denial of service.

        This is why I intensely dislike using a public email address as UID, that's asking for it.

        Thankfully I run my own email platform so I can create as many aliases as I need, also handy when you don't trust a site and want to track if they 'leak" email addresses to the swines known as marketeers, aka spammers.

      2. Michael Wojcik Silver badge

        Re: MFA

        Obviously, they don't have your passwords or they'd be into your account already

        Er... the whole point of MFA is that the password is not sufficient to gain access.

  5. ChoHag Silver badge
    FAIL

    Youth is wasted on the young

    By rights, after gaining that level of access, Uber should no longer exist. This kid is a moron. Totally missed opportunity.

    1. A Non e-mouse Silver badge

      Re: Youth is wasted on the young

      Breaking in is one thing. Destroying a major company's world-wide IT infrastructure is a whole different level of crime.

      1. Alumoi Silver badge

        Re: Youth is wasted on the young

        It depends on the company. Should it happen to Facebook, Uber, Google, Instagram, Tik-Tok, Tweeter and their ilk nothing of value would be lost.

        1. A Non e-mouse Silver badge
          Meh

          Re: Youth is wasted on the young

          And the hundreds of thousands of people who currently work for them...?

          I'm not trying to say that turning off Facebook wouldn't be a bad thing, but once you've done Facebook, et al, how do you draw the line and not move on to other targets? It's a steep slippery slope down into the vigilante rabbit hole.

          1. Anonymous Coward
            Anonymous Coward

            Re: Youth is wasted on the young

            It's a steep slippery slope down into the vigilante rabbit hole.

            You might want to rephrase that. I always forget to tone down my imagination when I come here - as a Jimmy Carr fan it'll take a while for me to lose the visual that my mind made of that.

            :)

            1. Michael Wojcik Silver badge

              Re: Youth is wasted on the young

              Oooh – now I have the concept for my next Alice's Adventures in Wonderland fanfic.

              1. Anonymous Coward
                Anonymous Coward

                Re: Youth is wasted on the young

                well, as they say (apparently), don't forget to lubricate..

        2. MachDiamond Silver badge

          Re: Youth is wasted on the young

          "nothing of value would be lost.'

          I agree with the sentiment, but it's not really true. All of the social media companies collect all sorts of information on their users to sell to their customers (users aren't necessarily customers). The big data aggregators love every piece of data they can get. Maybe they don't already have your children's mobile numbers or their school's name. They might find it handy to fill those boxes in if there is value to be had.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like