Uber, a company not always forthcoming about security blunders, has been forced to acknowledge a “cybersecurity incident” on its official Twitter channel.

Unhelpfully for its millions of users around the world, there’s no clear advice on what may be at stake and whether they need to change their passwords and cut up their credit cards. 

But thankfully employees haven’t been quite so tight-lipped, so we know some key details about the breach, which appears to be thanks to bad old-fashioned human engineering. Yep, an (apparently) 18-year-old managed to fool an employee into believing he was IT support, got a password and started running amok.

“I announce i am a hacker and uber has suffered a data breach,” the teen wrote on the company’s internal Slack. Something that evidently wasn’t believed right away, with The Washington Post reporting staff members responded with SpongeBob Squarepants emoji and the “It’s Happening” GIF meme.

“It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” Sam Curry, a security engineer at Yuga Labs told The New York Times. He reached this conclusion after chatting to the hacker via HackerOne, where the hacker had left comments on supposedly-confidential vulnerabilities highlighted by ethical hackers.

BleepingComputer says that these vulnerabilities were all lifted before the hacker was evicted, so if some are still open, there’s a chance that they could be actively exploited soon. We just don’t know thanks to Uber’s lack of transparency.

Of course, hackers motivated by corporate theft for the money don’t tend to announce their presence on Slack, and it’s entirely possible that the hacker is instead motivated by pure, unadulterated trolling. That definitely seems possible, given this little snippet shared by Curry:

Either way, it wouldn’t hurt to change your password on Uber, if you use it. And if you reuse the same password across the web, that means it’s time to go on a login-changing streak. Do yourself a favour and get yourself a password manager like Bitwarden or Dashlane: it’ll take a few hours to set up, but you’ll save yourself a lot of hassle in the long run.