Uber employees believed the alleged teen hacker attack was a joke.

The world’s largest ride-hailing company, Uber, shut down a portion of its operations late on Thursday after learning that its internal systems had been compromised. According to the company, the attacker was able to socially engineer his way into a worker’s Slack account before making a deeper foray into the network.

While the full scope of the breach is still unknown, the attacker, who was reportedly a teenager, claimed to have stolen Uber’s proprietary source code, troves of emails, and data from Google Cloud storage. He sent “proof” of this to several cybersecurity experts and media outlets, including The New York Times.

According to Sam Curry, security engineer at Yuga Labs, “They pretty much have full access to Uber.” “From what it seems, this is a complete compromise.”

Dominoes of compromise

The first system to be taken offline was the Slack collaboration tool, but other internal systems swiftly followed, according to reports. I announce I am a hacker and Uber has experienced a data breach, the attacker wrote in a Slack message to Uber employees just before the disablement (some of whom shared it on Twitter).

The criminal also claimed to researchers and the media that a text message claiming to be from corporate IT and sent to an Uber employee was the first sign of the breach. The employee provided the password when the “tech support” message merely requested one.

According to Ian McShane, vice president of strategy at Arctic Wolf, “while no official explanation has yet been provided, [apparently] the intruder was able to connect to the corporate VPN to access the larger Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share.” This attack has a relatively low barrier to entry and is comparable to consumer-focused attackers calling people and impersonating Microsoft in order to convince them to install keyloggers or remote access tools.

An Uber spokesperson told the Times in a media statement that the breach was being investigated by law enforcement and that social engineering was the point of entry. The business announced publicly on Twitter that it was responding to a cybersecurity incident. Law enforcement is in touch with us, and we’ll update this page as soon as we have more information.

The hacker, who claimed to be 18 years old, reportedly targeted the business to expose its lax security; there may also be a hacktivist component as he also stated in the Slack message to staff that Uber drivers ought to be paid more.

Given the alleged level of access, McShane continued, “I’m surprised the attacker didn’t try to demand ransom or extortion; it seems like they did it ‘for the lulz’.”

Not Uber’s First Ride with a Data Breach

In 2016, there was yet another significant breach involving Uber. In that incident, hackers stole the personal data of 57 million customers and drivers and demanded $100,000 in return for not turning the information into a weapon (the company paid up). In a non-prosecution agreement reached this summer with the US Department of Justice following a subsequent criminal investigation, Uber acknowledged that it actively concealed the full extent of the breach, which it hadn’t even disclosed for over a year.

As part of that earlier lawsuit settlement, Uber agreed to implement a corporate integrity program, specific data security safeguards, incident response, and data breach notification plans, as well as biennial assessments. Ironically, given the recent developments, Uber paid $148 million to all 50 states and the District of Columbia.