2 min

Tags in this article

, , ,

Uber indicates that the recent cyberattack on the company was carried out by a member of the Lapsus$ group. The cybercriminal accessed Uber systems by misleading a remote employee.

In an update on the attack, Uber states a remote employee turned out to be the attack vector. The cybercriminal likely obtained the employee’s login credentials through the dark web. The credentials were ultimately used to access internal systems.

After several initial attempts, the cybercriminal encountered two-factor authentication. Nevertheless, an Uber contractor granted one-time authorization, allowing the hacker to penetrate the network.


The cybercriminal proceeded to access multiple Uber employee accounts authorized to use collaboration tools, including G Suite and Slack. The attacker posted an announcement in a Slack channel and modified the company’s OpenDNS to display a graphic message to employees on internal systems.

Uber explicitly states that no user data was captured in the attack. The hacker did not gain access to sensitive databases of credit card information, bank details and ride logs.


Uber said it was able to confirm the identity of the attacker. The cybercriminal reportedly operates under the name of ‘teapotuberhacker’. The hacker is said to be affiliated with the infamous Lapsus$ group, which is held responsible for attacks on Okta, Nvidia, Cisco, Samsung and Microsoft earlier this year.

Uber says it has since taken a number of measures to prevent a repeat of the cyberattack. It’s also working closely with security companies and US judicial organizations to track down the perpetrators.

Tip: Hacker hits Uber with attack via Slack