How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games

Topline

Rockstar Games—the developers of the popular Grand Theft Auto series of video games—was hacked just days after ride-hailing giant Uber’s servers were targeted in a similar breach, purportedly by the same hacker who used a process called social engineering, a highly effective mode of attack that relies on deceiving employees of a targeted company and can be difficult to guard against.

An alleged teenage hacker managed to breach the internal database of Rockstar Games and leaked … [+] videos of an unannounced sequel to the blockbuster Grand Theft Auto video game franchise.

AFP via Getty Images

Key Facts

Similar to the Uber hack, the hacker who goes by the alias “TeaPot” alleged he gained access to Rockstar Games’ internal messages on Slack and early code for their unannounced Grand Theft Auto sequel by gaining access to an employee’s login credentials.

While the exact details of the Rockstar breach are unclear, in Uber’s case the hacker claimed he masqueraded as a company IT person and convinced an employee to share their login credentials.

Unlike other modes of attacks that rely on flaws in a company’s security architecture, social engineering targets people and relies on manipulation and deception.

Experts contend that humans still remain the “weakest link” in cybersecurity as they can be easily deceived to click on malicious links or share their login credentials.

Unlike other methods, social engineering is also effective in defeating certain enhanced security measures like one-time passwords and other multifactor authentication methods.

Crucial Quote

Rachel Tobac, the CEO of cybersecurity firm SocialProof Security and an expert on social engineering tweeted: “The hard truth is that most [organizations]

in the world could be hacked in the exact way Uber was just hacked…Many [organizations] still don’t use [Multi Factor Authentication] internally…& don’t use password managers (which leads to saving creds in easily searchable places once an intruder gets in).”

Key Background

Social engineering has been used to carry out several high-profile hacks in recent years, including the hijacking of more than 100 prominent Twitter accounts—among them Elon Musk, former President Barack Obama, Bill Gates and Kanye West—which were then used to promote a bitcoin scam. The hacks were carried out by teenagers who managed to gain access to Twitter’s internal networks by targeting “a small number of employees” according to the social media company. Last month, both Cloudflare and Twilio were also targeted in a type of social engineering attack called “phishing” where employees were tricked into opening a message that was disguised to appear as legitimate company communication but included a malicious link. Twilio, which provides messaging and two-factor authentication services, disclosed that the hackers had managed to breach the company’s internal databases and gained access to an undisclosed number of customer accounts. Cloudflare, an online content delivery network, noted the hackers were not able to access its internal network.

Contra

Unlike Twilio, Uber and Rockstar, which had their internal systems breached, Cloudflare managed to avoid this fate due to its use of hardware-based security keys. Unlike other multifactor authentication methods like text messages and one-time passwords, hardware security keys are much more secure against social engineering attacks. A targeted employee can be tricked into sharing the details of a text message or a one-time password but the hacker needs to gain physical possession of a hardware security key to gain access to an account. Hardware security keys come in various forms including USB sticks or Bluetooth dongles and they need to be plugged in or connected to a device that is trying to gain access to a protected account. Hackers who gain access to employee credentials will not be able to access their accounts that use this form of security without physically gaining access to their keys. In 2018, Google announced that none of its 85,000 had successfully been targeted through a phishing attack after it mandated the use of physical security keys a year earlier.

Big Number

323,972. That is the total number of complaints of social engineering attacks received by the FBI in 2021—almost three times higher than what it was in 2019—according to the agency’s annual Internet Crime Report. During this period, hackers managed to steal a total of $2.4 billion by compromising business email accounts through social engineering techniques.

What To Watch For

Bloomberg’s Jason Schreier speculated the recent hack may prompt Rockstar to place restrictions on remote work. Cybersecurity experts have previously argued that remote work may require more precautions as it leaves employees more vulnerable to social engineering attacks.