The company reiterated that no customer or user data was compromised during the breach.
“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so,” Uber said in an update.
This group typically uses similar techniques to target technology companies, and this year breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.
“There are also reports that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and the US Department of Justice on this matter and will continue to support their efforts,” Uber added.
The attacker accessed several internal systems at Uber.
The company said it did not see that the attacker accessed the production (public-facing) systems that power its apps; any user accounts; or the databases it uses to store sensitive user information, like credit card numbers, user bank account info, or trip history.
“We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers,” said Uber.
It does appear that the attacker downloaded some internal Slack messages, according to Uber, as well as accessed or downloaded information from an internal tool “our finance team uses to manage some invoices”.
“We are currently analysing those downloads”.
The attacker was able to access the Uber dashboard at HackerOne, where security researchers report bugs and vulnerabilities.
“However, any bug reports the attacker was able to access have been remediated,” Uber added.
Lapsus$ waged a ransomware attack against the Brazilian Ministry of Health in December 2021, compromising the vaccination data of millions.
Earlier this year, the UK Police arrested several members of the group earlier this year, most of them teenagers.