What Uber’s data breach reveals about social engineering

Updated 20th September 15:14 EST

Few techniques are as popular among cybercriminals as social engineering. Research shows that IT staff receive an average of 40 targeted phishing attacks a year, and many organizations are struggling to intercept them before it’s too late. 

Last week, Uber was added to the long list of companies defeated by social engineering after an attacker managed to gain access to the organization’s internal IT systems, email dashboard, Slack server, endpoints, Windows domain and Amazon Web Services console. 

In a statement reflecting on the breach, Uber noted that an Uber EXT contractor had their account hacked by a Lapsus$ attacker.

The organization believes the attacker purchased the contractor’s Uber password on the dark web, and sent a string multi-factor authentication requests to the user to trick them into accepting it. They then used elevated permissions to access tools including G-Suite and Slack. 

The data breach sheds light on the effectiveness of social engineering techniques and suggests that enterprises should reevaluate reliance on multifactor authentication (MFA) to secure their employees’ online accounts. 

Social engineering: the low-barrier way to hack  

In many ways, the Uber data breach further illustrates the problem of relying on password-based authentication to control access to online accounts. Passwords are easy to steal whether purchasing them online, committing brute-force hacks or harvesting them through social engineering scams, and they provide a convenient entry point for attackers to exploit. 

At the same time, no matter how good a company’s defenses are, if they’re relying on passwords to secure online accounts, it only takes one employee to share their login credentials for a breach to take place. 

“Uber is the latest in a string of social engineering attack victims. Employees are only human, and eventually, mistakes with dire consequences will be made,” said Arti Raman, CEO and founder of Titaniam. “As this incident proved, despite security protocols in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share them with the world.”

While measures like turning on multifactor authentication can help to reduce the likelihood of account takeover attempts — they won’t fully prevent them.

Rethinking account security 

Generally, user awareness is an organization’s best defense against social engineering threats. Using security awareness training to teach employees how to detect manipulation attempts in the form of phishing emails or SMS messages can reduce the likelihood of them being tricked into handing over sensitive information. 

“General cybersecurity awareness training, penetration testing and antiphishing education are powerful deterrents to such attacks,” said Neil Jones, director of cybersecurity evangelism at Egnyte. 

Organizations simply cannot afford to make the mistake of thinking that multifactor authentication is enough to prevent unauthorized access to online accounts. Instead, company leaders need to assess the level of risk based on the authentication options supported by the account provider and implement additional controls accordingly. 

“Not all MFA factors are created equal. Factors such as push, one-time-passcodes (OTPs), and voice calls are more vulnerable and are easier to bypass via social engineering,” said Josh Yavor, CISO at Tessian. 

Instead of relying on these, Yavor recommends implementing security-key technology based on modern MFA protocols like FIDO2 that have phishing resilience built into their designs. These can then be augmented with secure-access controls to enforce device-based requirements before providing users access to online resources.