What the Uber hack might mean for London commuters

·4-min read
Uber launched in the UK in London in 2012 (Matt Alexander/PA) (PA Archive)
Uber launched in the UK in London in 2012 (Matt Alexander/PA) (PA Archive)

We still don’t know the full extent of the damage from the recent Uber hack, but given the ridesharing service claims more than 3.5 million Londoners regularly use the service (not to mention the 45,000 drivers), readers could be forgiven for feeling more than a little uneasy at the news.

“They pretty much have full access to Uber,” Sam Curry, a security engineer at Yuga Labs told The New York Times. “This is a total compromise, from what it looks like.”

A lack of transparency

Could that involve passwords, trip data and more? We simply don’t know, and that lack of transparency is infuriating for security researchers.

“When they don’t allow the customer to understand what data it is: that’s where it becomes dangerous,” Jake Moore, global cybersecurity advisor at ESET tells The Standard. “Because if we don’t know the extent of it, then it is difficult to know what hackers have got on us.

“Uber should be open with their customers, but right now they’re not being because I think they’re embarrassed,” he continued, suggesting that the hacker’s access to Slack and internal resources via basic human engineering looks bad for a company of Uber’s stature.

But despite Uber’s near silence, we do know that the hacker gained access to Uber’s HackerOne bug bounty program, and that could spell trouble. It contains all the vulnerabilities found by ethical hackers, and it’s possible that not all of these have yet been fixed. BleepingComputer reports that the hacker downloaded the reports before losing access, meaning that these theoretical loopholes could be passed on to others to exploit.

Moore doesn’t appear too worried by this, pointing out that urgent vulnerabilities should have been fixed already, and anything left outstanding will likely be minor. “But any amount of vulnerability is, of course, something that you should be looking at. And right now I’d be looking at patching very quickly if there’s a chance it’s now being looked at upon by multiple groups.”

The Standard reached out to Uber regarding the possibly stolen reports and to learn what data was at risk, but was pointed in the direction of the company’s vague Twitter statement. “We aren’t commenting any further at this stage,” the spokesperson added.

Of course, it may be that the attack ultimately goes no further, purely intended to embarrass Uber and raise the profile of the hacker rather than any direct harm to customers and employees.

“A lot of people always believe there’s some sort of financial gain behind every single attack, and of course, that’s not the case,” Moore explains. “There are so many people out there that that do it for what they’d call ‘the LOLs’. They will do it for pure fun, and maybe kudos amongst their own peer groups.”

That also seems to be Curry’s view, having communicated with the hacker via HackerOne. He apparently first heard about the breach because the hacker left a reply to a two-year-old bug he had submitted to the program. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he told The New York Times.

Time to act

At the time of writing, we simply don’t know whether Londoners’ personal data is directly at risk. But at the same time, there’s no harm in being extra vigilant, especially given Uber’s history of taking time to reveal the full extent of security breaches.

“My general advice is to go and change the password and make sure two-factor authentication is implemented on every account,” Moore says.

But does that advice still apply if Uber is potentially still compromised? Ultimately yes, Moore says. “Worst case scenario: Yeah, you’re going to be doing it again in two weeks’ time.”

This precaution gets a bit more complex if you’re in the habit of reusing passwords across sites. If usernames and password combinations do become public, hackers always try these on multiple sites knowing full well that most people reuse their logins for simplicity’s sake. Unfortunately, if that applies to you, then it just makes sense to go through your sites changing the login credentials to be on the safe side.

For maximum security, we recommend a password manager which will generate a random string of characters and numbers for every site, and automatically enter them for you via a master password. You can see our pick of the best password apps here.