{ "id": "ecda495f-a4a2-4e1a-8366-08ea9323b947", "created_at": "2026-04-06T00:15:05.362353Z", "updated_at": "2026-04-10T13:12:43.836387Z", "deleted_at": null, "sha1_hash": "34040fcb0b4f9bed26bd6d8c38aef9ae29cb6696", "title": "Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81915, "plain_text": "Uber attributes hack to Lapsus$, working with FBI and DOJ on\r\ninvestigation\r\nBy Jonathan Greig\r\nPublished: 2023-01-10 · Archived: 2026-04-05 21:21:37 UTC\r\nRide-share giant Uber said on Monday that the headline-grabbing cyberattack on their systems was traced back to\r\nthe compromised account credentials of a contractor exploited by hackers connected to the notorious extortion\r\ngroup Lapsus$.\r\nThe company said in a statement that it is working with the FBI, Department of Justice and several leading digital\r\nforensics firms on the investigation but noted that the hacker has been involved in several other breaches of large\r\ncompanies. \r\n“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been\r\nincreasingly active over the last year or so,” the company said. “This group typically uses similar techniques to\r\ntarget technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta,\r\namong others. There are also reports over the weekend that this same actor breached video game maker Rockstar\r\nGames.”\r\nThe hacker downloaded internal messages from the company’s Slack and accessed information from an internal\r\ntool the company’s finance team uses to manage invoices. Uber said the attacker was also able to access the\r\ncompany’s dashboard for vulnerability reporting platform HackerOne.\r\nUber said that the hacker was not able to access public-facing systems that power their apps, user accounts, or the\r\ndatabases used to store credit card numbers and bank account information. Their investigation found that the\r\nattacker did not change their codebase and did not access any customer or user data stored by their cloud\r\nproviders.\r\nUber said it is still investigating the incident but believes that an “Uber EXT contractor” had their account\r\ncompromised by someone who likely purchased the contractor’s Uber corporate password on the dark web “after\r\nthe contractor’s personal device had been infected with malware, exposing those credentials.”\r\nThe ride-share company confirmed earlier reports that the attacker repeatedly tried to log in to the contractor’s\r\nUber account. \r\nThe contractor blocked access each time they received a two-factor login approval request but eventually accepted\r\nit, giving the attacker access.\r\n“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated\r\npermissions to a number of tools, including G-Suite and Slack,” Uber said. “The attacker then posted a message to\r\na company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic\r\nimage to employees on some internal sites.”\r\nhttps://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/\r\nPage 1 of 4\n\nUber said that once its security team discovered the issue, they first wanted to get the hacker out of their system,\r\nensure user data was safe and limit any potential damage done to Uber services. \r\nThey did this by blocking the compromised employee accounts or forcing through password resets. \r\nThe company went so far as to disable some of the affected internal tools that had been accessed during the\r\nincident and subsequently reset access to the internal services. \r\n“Because we took down some internal tools, customer support operations were minimally impacted and are now\r\nback to normal,” Uber explained. \r\nUber’s security team also said it prevented changes to its code by “locking it down.” The company did not\r\nrespond to requests for clarification about these steps.  \r\nEmployees were forced to re-authenticate after the company restored access to the internal tools that had been\r\nhacked. \r\nAccording to the statement, Uber instituted more stringent multi-factor authentication policies and added\r\nadditional tools allowing security officials to monitor internal environments more closely. \r\nA person claiming to have broken into the ride-hailing company’s network contacted The New York Times last\r\nweek with evidence of the breach, including “images of email, cloud storage and code repositories.”\r\nThey also contacted several security researchers claiming to have obtained log-in credentials for some of the\r\ncompany’s most sensitive business accounts.\r\nUber was hacked.\r\nThe hacker social engineered an employee -\u003e logged into the VPN and scanned their intranet.\r\n— Corben Leo (@hacker_) September 16, 2022\r\nThe hacker claimed he was male, 18 years old, and “had broken into Uber’s systems because the company had\r\nweak security.” Over the weekend, the same alleged hacker claimed to have broken into Rockstar Games and\r\nstolen information related to the next installment of the Grand Theft Auto series.\r\nIf accurate, the attack would be yet another feather in the cap of Lapsus$, a group that made waves earlier this\r\nyear with several brazen attacks on the world's biggest tech companies.\r\nLast month, Brazil’s Federal Police carried out eight search and seizure warrants as part of an investigation into\r\nattacks claimed by the Lapsus$ Group that disrupted the country’s Ministry of Health last December. \r\nSome alleged members of the group were reported to be teenagers — including one in Oxford who was doxxed in\r\nan episode of hacker drama, according to Bloomberg. U.K. law enforcement arrested seven people, ages ranging\r\nfrom 16 to 21, in March for alleged involvement in Lapsus$.\r\nThe group continued to post for several days after the arrests, including about a data breach at the software\r\ncompany Globant, but its public Telegram channel has been silent since late March.\r\nhttps://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/\r\nPage 2 of 4\n\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nhttps://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/\r\nPage 3 of 4\n\nSource: https://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/\r\nhttps://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/" ], "report_names": [ "uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434505, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34040fcb0b4f9bed26bd6d8c38aef9ae29cb6696.pdf", "text": "https://archive.orkl.eu/34040fcb0b4f9bed26bd6d8c38aef9ae29cb6696.txt", "img": "https://archive.orkl.eu/34040fcb0b4f9bed26bd6d8c38aef9ae29cb6696.jpg" } }