While not much information was forthcoming from Uber themselves, new updates from cybersecurity firms Sophos and Kaspersky have shed some light on the Uber data loss affecting more than 57 million personal records that occurred in 2016.
According to Sophos, Uber programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.
From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.
“Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments,” said Sophos Principal Research Scientist Chester Wisniewski.
What could happen to the data
“When a data breach like this occurs, it is important to remember and never underestimate the consequences associated with personal information that has fallen into the hands of intruders. The data accessed can be used for further attacks against users, by spreading malware or any type of cyberespionage. For example, attackers can sell a stolen database with personal information on the underground market, where there is high demand.
This year we have already seen increased activity in cybercriminals targeting popular ride-sharing mobile apps. Such services will remain an appealing target, due to the valuable credentials and sensitive data they hold. Access to this information could lead to greater damage for users but high benefits for criminals.
We therefore strongly recommend that users be attentive to incoming messages sent by email or SMS, do not click on suspicious links, and avoid installation of apps from unknown sources. Kaspersky Lab also advises the use of a reliable security solution,” comented Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab.
As a chilling last touch, Sohpos cybersecurity advisor James Lyne commented that “Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. Not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”