Information apparently belonging to ride-hailing giant Uber has been leaked online and the source of the data is likely a third-party IT vendor.
Over the weekend, a user with the moniker ‘UberLeak’ made public on a hacker forum a 600 Mb archive file allegedly containing 20 million records of data coming from Uber systems.
An analysis of the files conducted by SecurityWeek shows source code, internal task management information, encryption keys, and over a dozen documents each containing hundreds or thousands of Uber email addresses.
One spreadsheet named ‘report’ contains what appears to be a list of more than 16,000 employee names and email addresses. Another spreadsheet named ‘users’ contains the names, email addresses and employee IDs for over 5,000 people.
A very small archive file allegedly associated with the Uber Eats food delivery platform was also leaked by the same user, but it only appears to contain test data.
Uber confirmed in September that a hacker had accessed internal tools after an external contractor’s account was compromised.
However, in a statement to RestorePrivacy, Uber said the new leak is not related to the September incident. Instead, it appears the data originates from IT asset management software provider Teqtivity.
It’s worth noting that the same hacker also leaked 18 Mb and 25 Mb archive files allegedly containing data associated with Teqtivity and travel management company TripActions. These archives appear to contain application source code.
Teqtivity published a statement on Monday, confirming that customer data was compromised after a “malicious third party” gained access to its systems.
“The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers,” the company said.
According to Teqtivity, the investigation is ongoing, but so far it has confirmed that the exposed files include device information such as serial number, make and model, and technical specification, as well as user information, including first and last name, work email address, and work location details. The firm said it does not collect personal information such as home addresses, government identification numbers or banking information.
Uber is still investigating the incident, but it said the source code does not seem to belong to the company.
TripActions told SecurityWeek that its data is not impacted by the breach:
“Following investigations by both TripActions and Teqtivity, it has been determined that no TripActions data was exposed as part of this security incident nor were TripActions customers impacted as part of this security incident. TripActions does not maintain an MDM. We will continue to monitor the situation,” the company said in a statement.
*updated with statement from TripActions
Related: Serious Breach at Uber Spotlights Hacker Social Deception
Related: Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover-Up
