Global ride sharing and food delivery company Uber has released further details on the recent data breach which saw it shut down several internal and engineering systems.
Uber now believes one or more affiliates with the Lapsus$ group, which also breached a supplier of authentication vendor Okta, is behind the hack.
"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others," Uber wrote.
"There are also reports over the weekend that this same actor breached video game maker Rockstar Games," it added.
Uber said an external contractor had its account compromised, likely due to the hacker buying the person's corporate password on the "dark web".
The credentials were exposed after the contractor's personal device was infected by unnamed malware, Uber said.
Two-factor authentication initially kept the hacker out of Uber's accounts, but the attacker persisted and obtained access after the contractor accepted a log-in request.
Once in, the hacker accessed other employee accounts and gained elevated permissions to tools like Uber's Google G-Suite and Slack.
The attacker was also able to reconfigure Uber's OpenDNS settings "to display a graphic image to employees on some internal sites".
Uber said it has found which employee accounts were compromised and reset the passwords for those.
The company has also disabled and reset access to many potentially affected internal tools and services, and locked down its code base to prevent any changes being made to it.
Uber said it doesn't believe any public-facing systems with sensitive user infromation such as trip histories and credit card data were breached, but added that employee internal Slack messages were downloaded, along with information from its finance team.
