Anatomy of a Breach

Anatomy of a Breach: Uber Breached Again — A Teenager, MFA Fatigue, and Full Internal Access

> series: anatomy_of_a_breach —— part: 165 —— target: uber_again —— method: mfa_fatigue + whatsapp_social_engineering —— attacker: lapsus$-linked_teenager<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2022 13 min read
uber mfa-fatigue lapsus social-engineering teenager repeat-breach series
Breach #165

Uber. Again. A teenager. MFA fatigue. Full access to Slack, source code, and bug bounty reports.

On 15 September 2022, Uber disclosed that an attacker had gained access to its internal systems. The attacker — an 18-year-old affiliated with the Lapsus$ group — had purchased stolen credentials on the dark web, then used MFA fatigue to bypass Uber's push-notification MFA. When the targeted employee initially resisted the repeated push notifications, the attacker contacted the employee via WhatsApp, impersonating Uber IT support and instructing them to approve the MFA prompt to stop the notifications. The employee complied.

Once inside Uber's VPN, the attacker discovered hardcoded administrative credentials in a PowerShell script on an internal network share — gaining access to Uber's privilege access management (PAM) system. From there, the attacker accessed Uber's Slack (where they posted a message announcing the breach), Google Workspace, AWS and GCP consoles, source code repositories, and — critically — Uber's HackerOne bug bounty dashboard, which contained reports of unpatched security vulnerabilities. The breach came five years after the 2016 breach that Uber had concealed — and that had resulted in the criminal conviction of Uber's former CSO.

MFA Fatigue + Social Engineering
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Push spam until they approve. Then call them pretending to be IT.

MFA Fatigue: The Lapsus$ Playbook
The attacker used the same MFA fatigue technique documented in the <a href="/blog/anatomy-of-a-breach-lapsus">Lapsus$ breach</a> (#159) — bombarding the target with push notifications. When fatigue alone failed, the attacker escalated to social engineering via WhatsApp. <a href="/cyber-essentials">Cyber Essentials Danzell</a> recommends number-matching or FIDO2 MFA, which cannot be fatigued. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> include MFA fatigue simulation.
Hardcoded Credentials in Scripts
Administrative credentials stored in plaintext in a PowerShell script on a network share gave the attacker access to the PAM system — and from there, to everything. Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> specifically searches for hardcoded credentials in scripts, configuration files, and network shares.
Bug Bounty Reports Accessed
The attacker accessed Uber's HackerOne dashboard — containing detailed reports of security vulnerabilities, some potentially unpatched. Access to bug bounty reports gives an attacker a roadmap of known weaknesses. <a href="/penetration-testing/infrastructure">Our testing</a> assesses access controls on security-sensitive internal systems.
Uber's Third Major Breach
The 2016 cover-up (CSO convicted), the 2022 MFA fatigue attack — Uber has now appeared multiple times in this series. Like <a href="/blog/anatomy-of-a-breach-t-mobile-us-2021">T-Mobile</a>, repeated breaches indicate systemic security governance failures. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects breaches as they occur.
Lessons

Push-notification MFA is not enough. Upgrade to phishing-resistant MFA.

The Uber 2022 breach was the definitive case for upgrading from push-notification MFA to phishing-resistant alternatives. Cyber Essentials Danzell recommends number-matching push notifications (where the user must enter a code shown on the login screen), FIDO2 hardware keys, or passkeys — all of which resist MFA fatigue attacks. Our social engineering testing includes MFA fatigue assessment. Internal testing searches for hardcoded credentials. SOC in a Box monitors for MFA fatigue patterns and anomalous internal access. And UK Cyber Defence provides incident response when social engineering bypasses authentication.

Phishing-Resistant MFA

Uber was breached through MFA fatigue — again. Is your MFA phishing-resistant?

<a href="/cyber-essentials">Cyber Essentials</a> recommends number-matching or FIDO2 MFA. <a href="/penetration-testing/social-engineering">Social engineering testing</a> includes MFA fatigue. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects fatigue patterns.

Commission a Social Engineering Test Next: Medibank
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2022

Anatomy of a Breach: Lapsus$ — Teenagers Hack Nvidia, Samsung, Microsoft, and Okta Through Social Engineering and MFA Fatigue

Breach #159. In March 2022, a cybercrime group called Lapsus$ — composed largely of teenagers from the UK and Brazil — conducted a rapid-fire series of high-profile breaches against Nvidia (employee credentials and proprietary GPU data), Samsung (190GB of source code), Microsoft (37GB of source code), and Okta (through a third-party support contractor). The group's primary techniques were not sophisticated technical exploits but social engineering: bribing employees, SIM-swapping, and 'MFA fatigue' attacks (repeatedly sending MFA push notifications until the target approved one). A 16-year-old from Oxford was among those arrested.

lapsus nvidia
14 min read
Anatomy of a Breach 30 September 2024

Anatomy of a Breach: Transport for London — Cyber Attack Forces 5,000 Staff Credential Resets and a Teenager Is Arrested

Breach #189. On 1 September 2024, Transport for London (TfL) — the body responsible for London's public transport network serving 9 million journeys daily — disclosed a cyber attack that affected internal systems, customer-facing services, and staff operations. Approximately 5,000 TfL employees were required to attend in-person appointments to verify their identity and reset credentials. Customer data including names, email addresses, home addresses, and Oyster card refund bank account details for approximately 5,000 customers was accessed. A 17-year-old was arrested in connection with the attack. The breach disrupted one of Europe's largest transport networks and forced a massive in-person credential reset operation.

tfl transport-for-london
13 min read
Anatomy of a Breach 30 September 2023

Anatomy of a Breach: MGM Resorts and Caesars — Scattered Spider's $100 Million Social Engineering Campaign Against Las Vegas

Breach #177. In September 2023, two of Las Vegas's largest casino operators were hit within days of each other. Caesars Entertainment paid approximately $15 million in ransom after the Scattered Spider group stole its loyalty programme database. MGM Resorts refused to pay and suffered a ten-day operational shutdown — with hotel room keys, slot machines, reservation systems, and even ATMs failing across its Las Vegas properties. MGM estimated the total cost at over $100 million. Both attacks began with social engineering: a phone call to the IT help desk, impersonating an employee identified through LinkedIn. The same technique that compromised Twitter in 2020 and Uber in 2022.

mgm-resorts caesars
15 min read
All Posts Get in Touch