Over the course of three days, two massive American companies were rocked by two equally massive leaks. On Friday, it was announced that the ubiquitous ride-share company Uber had been hit with a wide-reaching data leak, and on Sunday afternoon EST time over 90 videos of the upcoming Grand Theft Auto 6 (GTA6) were posted online as part of an alleged extortion attempt.
How they did it:
The two large-scale cybercrimes are related. It is alleged that the same hacker - or hackers - used social engineering techniques in order to gain access to the two company's servers.
The hack of Uber started with the hacker(s) known as 'Teapotuberhacker' implementing a simple phishing technique: posing as IT personnel and sending an employee a text message asking for their login credentials, according to the New York Times who first reported on the story. The hacker then gained access to Uber’s Amazon Web Services (AWS) accounts and Google Cloud accounts, scraped a lot of data, and then announced to the company that’d they’d been hacked via the phished employee’s Slack account.
While less is known about the Rockstar leak at this point, the same tactics of posting images from the company's Slack have been used.
What was lost:
With Uber: Potentially millions of dollars. The hacker was able to access Uber’s OneLogin account, which more or less gave them complete and total access to Uber’s data. They were even able to see the login info for the burn-it-all-down-and-start-from-scratch account in OneLogin, curiously titled ‘Security Response Break Glass Service Account’. Essentially, this could mean that Uber has to completely overhaul its cybersecurity and IT operations. There has been no official word on whether user data (including payment and location data) has leaked. Our own theory is that the hacker is most likely doing this to make (potentially) a lot of money and a name for themselves, not to ruin the lives of hundreds of millions of people.
And with Rockstar: Potentially years of work and millions of dollars. This is, of course, a massive let-down for the GTA developers working at Rockstar Games, which usually employs developers in the thousands: 2013's GTA V had approximately 1,000 developers working on it and 2018's Red Dead Redemption 2 had approximately 2,000 developers working on it. To have literal hundreds of thousands of hours of work leaked out into the public has to be a massive blow to the team.
On the other hand, this could play into Rockstar’s overall PR machine. With the last release in the GTA series occurring 9 years ago, the hype for GTA6 has been - in a word - stratospheric. Any information on the game has generated a lot of headlines, and this huge leak provided not only confirmations about new characters, but also the open-world where the game is set. Set in modern-day Miami and Florida, GTA6 appears to follow two criminals - one man, and one woman (a first for Rockstar) - as they build a crime empire.
As for Uber, there’s no way to read this alleged leak as good news.
How it could have been prevented:
Uber’s hack is alleged to have happened using a technique called “MFA fatigue” - where a user is peppered with dozens of login attempts on their device (i.e. “swipe left to authenticate” or “type these numbers into the authenticator to approve login”); this is confirmed by the fact that the hacker posed as an IT person on the employee’s WhatsApp asking them to approve a/the login(s) so that the barrage would stop.
- Know the contact information for your company’s IT person or persons. These alleged leaks could have been prevented by simply verifying with an IT individual.
- Never trust, always verify. This is the guiding principle of ‘zero trust’ cybersecurity. What’s most shocking in these recent alleged breaches is that Uber (in particular) allowed someone with access to just one account into all of the company’s accounts, including the OneLogin. It would have helped the company immensely if there had been a simple way to block unrecognised IP addresses, or non-authorised devices. With Rockstar’s breach, it appears that most of the data that has leaked was available on the company’s Slack.
- Use certificate-based authentication. While no method is perfect in keeping out malicious actors, certificate-based authentication is arguably more reliable than MFA.
- Acclimating employees to the reality of phishing attempts. Simple phishing simulations might have helped prevent these breaches. It’s telling that these two companies — Uber and Rockstar — have spent tens of millions of dollars on building elaborate firewalls to keep prying eyes out of their data, only to have the human firewall breached by a simple WhatsApp or Slack message. The hacker, it should be noted, has said that they are just 18 years old.
How to move forward:
Have empathy for these companies and their employees. Yes, the companies have millions and millions of dollars, and yes, you as a member of the viewing public are entitled to have opinions about the entities. And if you work in cybersecurity you more than likely have already formed opinions on what could have been done.
But the untold story here is the thousands of hours of work that has been taken out of the hands of the employees and dumped, unceremoniously, by an 18 year-old hacker, into the public eye. All for what? A payday? The "lulz"? In this writer's humble opinion, posting it all online for all to see takes away from the thousands (perhaps tens of thousands) of developers who've worked very hard on GTA6. Leaking their hard work wasn't necessary.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt