Uber’s computer network was breached Thursday, causing the ride-hailing giant to take multiple internal communications and engineering systems offline as it investigates the hack, The New York Times reported earlier.
Uber said its investigation was still ongoing as of 10:30 a.m. PT Friday, but said “there is no evidence the incident involved access to sensitive user data.”
Uber, Uber Eats, Uber Freight and Uber Drive were all up and running on Friday, and now Uber is bringing its internal software tools back online.
Uber earlier said it was investigating a cybersecurity incident and contacting law enforcement. The FBI is reportedly helping Uber investigate the incident. Uber did not immediately respond to a request for comment.
On Thursday, the company instructed employees not to use workplace messaging app Slack, the report quoted two employees as saying. Other internal systems were also inaccessible, The Times reported.
According to The Times, shortly before Slack went offline on Thursday afternoon, Uber employees received a message on the app: “I declare that I am a hacker and Uber has suffered data breach.” The message also listed several internal databases that the hackers claimed had been compromised, The Times reported.
According to the New York Times, the self-described 18-year-old hacker said he was motivated by what he called weak security and provided screenshots of Uber’s internal systems to prove his access permissions.
Uber told The New York Times that hackers sent the message through the app after breaching a worker’s account. The hacker, who apparently also had access to other internal systems, posted an explicit photo on the employee’s internal information page, the newspaper reported.
Uber has been hacked before. In 2018, it agreed to a $148 million settlement over a 2016 data breach that the ride-hailing service failed to disclose. Hackers were able to steal data on 57 million drivers and passengers, including personal information such as names, email addresses and driver’s license numbers.
Instead of publicly disclosing the hack, the company had to pay the hackers $100,000 within a certain number of days in states like California to delete the information and have them sign a nondisclosure agreement.
Joe Sullivan, Uber’s head of security from April 2015 to November 2017, was indicted in 2020 for allegedly covering up a breach. Sullivan described the payments as bug bounty rewards, which companies typically pay to researchers who find security flaws, but prosecutors said the payments were more of a cover-up than a bounty.
