Last week, the news broke that Uber had concealed a data breach that affected 57 million customers and drivers by paying off the hackers around £75,000 to delete the data they had stolen.
The hackers found 57 million names, email addresses and mobile phone numbers, Uber said. Within that number, hackers had exposed the names and licence details of 600,000 drivers.
>See also: The dark side of Uber’s amazing customer experience
While the hack and the sheer number of people affected is worrying in itself, the research of RepKnight’s cyber analysts show that Uber is also facing a disproportionate threat from the dark web compared with many other global organisations.
Uber’s dark web threat
Using a monitoring tool called BreachAlert, RepKnight found 42,037 instances of email addresses belonging to Uber employees posted on the dark web and other dump sites since July 2017 alone. Given the fact that Uber employs around 17,000 people, a figure of 42,000 email addresses appearing in posts on the dark web is a huge worry — although many of the email addresses making up the total had been posted multiple times, typically in posts containing 300–400 addresses. One single post on 8th September contained 3,535 unique addresses, which is more than 20% of the company.
The reason why this is concerning is because cybercriminals can easily buy — or even copy from open dump sites — long lists of email addresses, and then initiate broad phishing scams in an attempt to steal even more sensitive data from Uber.
>See also: Despite the controversies, Uber’s revenue continues to increase
All it takes is for one Uber employee to click on a phishing link to give a cybercriminal access to more data. Some of these lists even contain full names and clear-text passwords, which could potentially give cybercriminals undetected access to Uber’s systems.
How Uber’s email addresses may have ended up on the dark web
Quite how cybercriminals managed to get their hands on a great number of employee email addresses is unknown, but the bulk of them possibly originated from a previous GitHub exposure. Back in 2014, “hackers” stumbled across Uber login credentials in an Uber-maintained but publicly-exposed Github software repository. Chances are someone used these credentials to access Uber’s database to steal data.
Unauthorised access is a very common problem, though, and not something that just threatens Uber. Every week we at RepKnight see recurrences of insecure cloud storage “buckets”, and yet some companies do not regularly check the security of the container. Script kiddies can easily find these open buckets using openly available tools; it’s not rocket science.
What Uber needs to do now
Like many big brands, Uber has had a problem with the dark web for a number of years now. In 2015 cybercriminals could buy Uber user accounts for as little as $1 on dark web site AlphaBay. There are even some user accounts available for free. Today, Uber user accounts are for sale on the dark web for €5:
The question now is what Uber can do about it? To combat the threat of hacked accounts, the responsibility mostly lies with the user, not Uber. Those who use Uber should change their password once every few months to render any hacked data useless in the hands of a cybercriminal.
>See also: Italy bans Uber: a ‘slap in the face’ to Italian citizens
However, because there are so many identities out there, clearly Uber needs to take its own steps to prevent the likes of phishing attacks. In terms of protection, employee education and subsequent awareness are key when dealing with emails and phone calls. At the very least Uber should employ phishing detection on their mail network.
To go one step further, Uber may consider enforcing password resets with robust password policies to all accounts. With so many emails exposed Uber should perhaps even consider disabling those accounts and re-issuing them in a different random format to remove the ability for cybercriminals to guess email addresses.
While changing email addresses will have an obvious impact on receiving legitimate business emails during the changeover, taking these sorts of measures is better than suffering another data breach, which, this time, may be fatal.
There are plenty of lessons other organisations can take from this story as well. The dark web is a threat to all businesses — no matter what size or how famous you are — because attackers are mainly opportunists looking to make money out of hacking.
>See also: EXCLUSIVE: The Tinder Economy of CEOs
RepKnight’s cyber analysts see all sorts of stolen data on the dark web for sale every single day — from credit card details to employee logins — and the victims are often none the wiser.
But nowadays, so much corporate data already lives outside the firewall that most organisations struggle to keep track of all of it — and when cybercriminals compromise some of that data and post it on the dark web, most organisations cannot do anything about it because they never knew about the hack in the first place.
Sourced by Patrick Martin, cybersecurity analyst, RepKnight