The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an extern