Hackers taking Uber for a ride as RepKnight finds 43,000 employee email addresses on the Dark Web

By 1st December 2017News

By Jeremy Hendy, EVP sales and marketing, RepKnight

Uber’s having a tough time of it at the minute. Just as the company looks to appeal its ban in London, it then admits to covering up a data breach that affected 57 million customersincluding 2.7 million Brits — by paying the hackers £75,000 to delete the data they had stolen.

The reputation of the company is no doubt on a knife edge. But to make matters considerably worse, RepKnight’s cyber analysts have also found that Uber is facing a significantly worse threat from the Dark Web compared with many other global organisations.

Using BreachAlert, which is available to businesses as a Dark Web monitoring tool, RepKnight has found 42,037 instances of email addresses belonging to Uber employees posted on the Dark Web and other dump sites since July 2017 alone. To put these figures into context, Uber employs 17,000 people, which means that cybercriminals are posting multiple email addresses belonging to the same employees in multiple places on the Dark Web — and all since July. One dump, in particular, on 8th September contained 3,535 unique addresses, which accounts for more than a whopping 20% of the entire company.

Nobody definitively knows how cybercriminals managed to obtain thousands of employee email addresses, but a previous GitHub flaw may be responsible. In 2014, hackers found Uber login credentials in an Uber-maintained but public Github software repository. It’s quite possible that hackers used these credentials to access Uber’s database to steal data.

Seeing large numbers of employee email addresses from one company on the Dark Web is a worry because cybercriminals can then obtain long lists of email addresses to use for a widespread phishing scam — which puts even more sensitive Uber data at risk. Once a cybercriminal sends a phishing email to, say, a few thousand employees, all it would take for another potentially cyber breach to occur is for one Uber employee to click on a phishing link. Even more worryingly, some of the lists RepKnight has seen on the Dark Web even contain names and passwords, which could potentially give cybercriminals undetected access to Uber’s systems.

This isn’t Uber’s first run in with the Dark Web. The company has had a problem with the Dark Web for a number of years now. In 2015 cybercriminals could buy Uber user accounts for as little as $1 on Dark Web site AlphaBay. There are even some user accounts available for free. Today, Uber user accounts are for sale on the Dark Web for €5:

So, what now for Uber?

Uber has a job on its hands to turn its cybersecurity reputation around, and while the company clearly needs to shore up different parts of its security measures, it has to have a plan in place to tackle the Dark Web.

Unfortunately for the company, Uber can’t really do too much about the hacked user accounts. The responsibility for those lie mostly with the user, not Uber. Those who use Uber should change their password once every few months to render any hacked data useless in the hands of a cybercriminal. One suggestion for Uber though would be to introduce multi-factor authentication for users. Everyone who uses Uber does so through a smartphone — many of which now have fingerprint scanners and facial recognition built in. If users had to confirm journeys with a fingerprint or a face scan, hackers at the very least won’t be able to take Uber users for a ride (as it were).

However, because there are so many employee email addresses out there, Uber needs to take precautionary steps to prevent phishing attacks. Employee education and subsequent awareness are obviously key, but the company has no choice but to employ phishing detection on its mail network.

In addition to phishing detection, Uber may also want to consider enforcing password resets with robust password policies to all accounts. The nuclear option would be to re-issue email accounts in a different random format to ensure cybercriminals can’t “guess” email addresses. While changing email addresses will obviously be disruptive in the short term, doing so is better than suffering another data breach, which, this time, may be the final nail in the coffin for Uber.

Every business is at risk of the Dark Web — not just big companies like Uber

Every organisation under the sun — no matter what size or in what sector — can learn from Uber’s experience of the Dark Web. The Dark Web is a threat to all businesses because corporate data will always fetch a fair price on underground marketplaces, and so is worth stealing. At RepKnight, our cyber analysts see all sorts of stolen data on the Dark Web for sale every single day — from credit card details to employee logins — and the victims are often none the wiser.

The challenge nowadays though is that so much corporate data already lives outside the firewall, so keeping track of it is a considerable struggle. So, when cybercriminals compromise some of that data and post it on the Dark Web, how are you going to find out about it?