Update below: Uber has shared further information with BleepingComputer about how its data was stolen in a breach of Teqtivity, which provides asset management and tracking services to the company.
Uber suffered yet another data breach after a malicious actor leaked employee email addresses, corporate reports and information about stolen IT assets to a third-party vendor during a cybersecurity incident.
Early Saturday morning, a threat actor named “UberLeaks” began leaking data he claimed was stolen from Uber and Uber Eats on a hacking forum known for posting data breaches.
The leaked data includes numerous archives purporting to be source code associated with mobile device management (MDM) platforms used by Uber and Uber Eats and third-party vendor services.
The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and third-party platforms Teqtivity MDM and TripActions MDM.
Each post references a member of the Lapsus$ hacking group which is believed to be responsible for numerous high-profile attacks, including a September cyberattack against Uber where threat actors gained access to the company’s internal network and Slack server.
BleepingComputer has been informed that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain logins and email addresses, and other business information.
One of the documents BleepingComputer viewed includes email addresses and Windows Active Directory information for more than 77,000 Uber employees.
While BleepingComputer initially believed this data was stolen in the September attack, Uber told BleepingComputer it believed it was related to a security breach at a third-party vendor.
Security researchers who analyzed the leak told BleepingComputer that the leaked data relates to Uber’s internal corporate information and does not include any of its customers.
However, we are told that the leaked data contains enough detailed information to carry out targeted phishing attacks on Uber employees to acquire more sensitive information, such as login credentials.
Therefore, all Uber employees should be on the lookout for phishing emails impersonating Uber IT Support and confirm all information directly with IT administrators before responding to such emails.
BleepingComputer has contacted Uber, TripActions and Teqtivity with further questions regarding the incident, but has not received a response at this time.
Uber’s data was stolen in a Teqtivity breach
Following the publication of this story, Uber shared that threat actors stole its data during a recent breach of Teqtivity, which it uses for asset management and tracking services.
Uber referred us to a Teqtivity Data Breach Notification published this afternoon, which explains that a threat actor gained access to a Teqtivity AWS backup server that stores customer data.
This gave the threat author access to the following information for companies using their platform.
- Device information: serial number, brand, models, technical specifications
- User information: first name, last name, work email address, work location details
Uber told BleepingComputer that the source code leaked on the hacking forum was created by Teqtivity to run Uber’s services, explaining the numerous references to the ride-sharing company.
Uber also reiterated that the Lapsus$ group was unrelated to this breach, even though forum posts refer to one of the threat actors associated with the group.
While forum posts say they breached “uberinternal.com”, Uber said they saw no malicious access to their systems.
“The third party is still investigating but has confirmed that the data we have seen to date originated from its systems, and to date we have not seen any malicious access to Uber’s internal systems,” Uber told BleepingComputer.
Update 12/12/22: Added additional information from Uber on Teqtivity violation.