Uber, in an update, said there is “no evidence” that users’ private information was compromised in a breach of its internal computer systems that was discovered late Thursday.
“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company said. “All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”
The ride-hailing company also said it’s brought back online all the internal software tools it took down previously as a precaution, reiterating it’s notified law enforcement of the matter.
It’s not immediately clear if the incident resulted in the theft of any other information or how long the intruder was inside Uber’s network.
Uber has not provided more specifics of how the incident played out beyond saying its investigation and response efforts are ongoing. But independent security researcher Bill Demirkapi characterized Uber’s “no evidence” stance as “sketchy.”
“‘No evidence’ could mean the attacker did have access, Uber just hasn’t found evidence that the attacker *used* that access for ‘sensitive’ user data,” Demirkapi said. “Explicitly saying “sensitive” user data rather than user data overall is also weird.”
The breach allegedly involved a lone hacker, an 18-year-old teenager, tricking an Uber employee into providing account access by social engineering the victim into accepting a multi-factor authentication (MFA) prompt that allowed the attacker to register their own device.
Upon gaining an initial foothold, the attacker found an internal network share that contained PowerShell scripts with privileged admin credentials,