Hot Topics
Identity & Access Security Bloggers Network 
SBN

The Thing About Uber’s Data Breach

by Steve Tout on September 16, 2022

Hey everyone, Steve here again, and I’ve been doing some thinking…

The thing about Uber’s data breach that the pundits are overlooking is this:

In the case of a hacker MFA bombing an Uber employee in the middle of the night, wouldn’t the first factor need to be compromised first?

If an MFA prompt comes before entering in a password or is “passwordless” and doesn’t require one at all, then that needs to be called out as an ineffective security posture as well.

Ergo, a credential must have been involved in the authentication sequence somewhere. We don’t know whether that credential was compromised, leaked, stolen, etc…

Who cares if the hacker was 18 or 58?

A lot of the pundits and social media that I have been reading today point out that the hacker professed to be 18 years old. They point out that admin credentials were stored in PowerShell scripts or in plain text. I do not condone this practice and made the blast radius of this hack much larger than it needed to be.

Another thing we know is that there are 2,184 compromised credentials from the Uber.com domain in the VeriClouds database, with at least 625 of them newly reported since 9-Sept, 2022. (Obviously masked and encrypted for privacy. Why?)  I may be wrong, but one of those leaked credentials could have been used by the 18yo hacker to assist in bypassing the MFA controls that were supposed to protect the company from such attacks.

There are 2,184 compromised credentials from the Uber.com domain in the VeriClouds database

The bottom line

The bottom line is this. Identity threat intelligence complements MFA and passwordless solutions. To be more precise: CredVerify provides identity threat intelligence for stronger authentication and helps stop preventable data breaches.

CredVerify provides identity threat intelligence for stronger authentication and helps stop preventable data breaches.

What you can do about it

No doubt vendors will come around and try to help you. (VeriClouds is also a vendor, we can help you too!) Journalists will no doubt recommend that you search Have I Been Pwned to see if your email was involved in this or any other breach.  I wrote a blog on Medium a while back called Why ‘Have I Been Pwned’ is not a security solution (And it never will be) wherein I outline reasons why relying on HIBP is not going to help you or your organization.

We at VeriClouds believe that cybersecurity leaders need to be proactive in integrating cyber threat intelligence into their authentication modules and identity systems. Being proactive protect users and their data before the harm is done, and can potentially help organizations avoid large fines and reputational damage, too.

Join me for a conversation with VeriClouds founder and CEO, Stan Bounev, and Richard Bird AKA “The guy with the bow-tie” to discuss how organizations should be thinking about and acting on ITDR with more urgency. All are welcome and can register here.

 

Join us for the What the ITDR webinar on September 27th at 10:00am PST.

If you have questions or just want to hit back at me, send me an email at stevet at vericlouds dot com, follow me on Twitter @SteveTout or schedule time on my calender here.

The post The Thing About Uber’s Data Breach appeared first on VeriClouds.

*** This is a Security Bloggers Network syndicated blog from Blog — VeriClouds authored by Steve Tout. Read the original post at: https://www.vericlouds.com/the-thing-about-ubers-data-breach/

Steve Tout , , ,

Secure Guardrails