On September 15, 2022, an 18-year-old attacker gained sweeping access to Uber's internal systems using a technique that required no malware, no zero-day exploits, and no sophisticated tooling. The attack, attributed to the Lapsus$ group, relied on a combination of purchased credentials and relentless MFA push notification spam — a technique known as MFA fatigue.
The breach exposed Uber's internal dashboards, source code repositories, Slack workspace, and vulnerability reports on HackerOne. It was a stark demonstration that even well-resourced organizations can be undone by the weakest link in their security chain: human psychology.
How the Attack Unfolded
The attack followed a straightforward sequence:
Step 1: Credential acquisition. The attacker obtained the credentials of an Uber EXT (external) contractor, likely purchased from an infostealer malware operation or dark web marketplace. The contractor's credentials may have been initially stolen from a compromised personal device.
Step 2: MFA fatigue. With valid credentials in hand, the attacker began authenticating to Uber's VPN, triggering MFA push notifications to the contractor's phone. When the contractor didn't accept the first push, the attacker sent them repeatedly — for over an hour. Eventually, the attacker also messaged the contractor on WhatsApp, posing as Uber IT support, and told them they needed to accept the notification to stop the alerts. The contractor accepted.
Step 3: VPN access and lateral movement. Once on Uber's internal network via VPN, the attacker scanned the network and found a PowerShell script on a network share. The script contained hardcoded admin credentials for Uber's Privileged Access Management (PAM) system — Thycotic.
Step 4: Full compromise. With PAM admin access, the attacker could retrieve secrets for virtually every internal system: AWS, GCP, Google Workspace, Slack, SentinelOne, Confluence, the HackerOne bug bounty program, and more. The attacker had effectively achieved domain admin-level access to Uber's entire internal infrastructure.
Step 5: Announcement. In a move characteristic of Lapsus$, the attacker announced the breach publicly. They posted a message in Uber's internal Slack channel stating "I announce I am a hacker and Uber has suffered a data breach," complete with a list of compromised systems. Many employees initially assumed it was a joke.
The Supply Chain Dimension
This breach has several supply chain implications that deserve careful analysis:
Contractor Access as Supply Chain Risk
The initial compromise wasn't of an Uber employee — it was an external contractor. Contractors represent an extension of the supply chain, with access to internal systems but often operating on personal devices or with different security controls than full-time employees. The contractor's device was likely compromised separately, meaning a compromise in the contractor's personal security ecosystem cascaded into Uber's corporate environment.
Hardcoded Credentials in Scripts
The PowerShell script with hardcoded PAM credentials is a supply chain problem in the infrastructure-as-code sense. When secrets are embedded in scripts and configuration files, they become part of the software supply chain — checked into repositories, copied across systems, and impossible to rotate without updating every copy.
Vulnerability Data Exposure
The attacker accessed Uber's HackerOne bug bounty program, which contained reports of unfixed vulnerabilities. This data is extraordinarily valuable for planning future attacks — not just against Uber, but potentially against any open source components or third-party integrations mentioned in those reports.
Source Code Access
Like the LastPass breach earlier that month, the attacker gained access to source code repositories. For Uber, this means their ride-sharing algorithms, payment processing code, driver verification systems, and more were potentially exposed.
MFA Fatigue: A Growing Threat
The Uber breach brought MFA fatigue attacks into mainstream awareness, but the technique wasn't new. Throughout 2022, MFA fatigue became the go-to method for bypassing push-based multi-factor authentication:
- Lapsus$ used it against Microsoft in March 2022, with the group's leader claiming they could call an employee at 1 AM repeatedly until they accepted the MFA prompt
- The 0ktapus campaign used real-time OTP relay, a related technique
- Cisco disclosed in August 2022 that an employee's VPN was compromised through a combination of voice phishing and MFA fatigue
The problem is structural: push-based MFA relies on the user to make a security decision every time they receive a notification. Under conditions of fatigue, confusion, or social pressure, humans will accept the prompt just to make it stop.
Defensive Lessons
Replace Push MFA with Phishing-Resistant MFA
FIDO2 security keys and platform authenticators (biometric) are immune to MFA fatigue because they require physical presence and domain binding. There's no notification to spam.
Implement Number Matching for Push MFA
If you can't move to FIDO2 immediately, enable number matching in your push MFA provider. This requires the user to enter a specific number displayed on the login screen into their authenticator app, making it impossible for an attacker to succeed by simply spamming prompts.
Eliminate Hardcoded Credentials
The PowerShell script with PAM credentials was the critical escalation point. Secrets should never be stored in scripts, configuration files, or code repositories. Use dynamic credential systems and just-in-time access provisioning.
Restrict Contractor Access
External contractors should operate under the principle of least privilege with additional monitoring. Their access should be time-bounded, limited to specific systems, and subject to enhanced logging and anomaly detection.
Monitor for Anomalous MFA Patterns
Multiple failed MFA attempts followed by a successful one — especially from a new device or location — should trigger alerts and potentially require additional verification before granting access.
Segment Internal Networks
The attacker's ability to move laterally from VPN access to discovering scripts on network shares to PAM compromise suggests insufficient network segmentation. Internal networks should be segmented so that VPN access doesn't grant broad network visibility.
The Human Factor
The Uber breach is ultimately a story about the limits of technical controls when human behavior is the attack surface. The contractor who accepted the MFA push was not acting maliciously — they were acting as any exhausted, confused person might act when bombarded with notifications and contacted by someone claiming to be IT support.
Security architectures need to account for this reality. Controls that depend on users making correct security decisions under pressure will eventually fail. The goal should be to design systems where the user's compliance path and the secure path are the same — where it's easier to do the right thing than the wrong thing.
How Safeguard.sh Helps
Safeguard.sh helps organizations address the supply chain risks exposed by the Uber breach. Our platform provides visibility into your software dependencies and development infrastructure, flagging hardcoded credentials and secrets in codebases. By enforcing security policies across your development lifecycle and monitoring for anomalous changes in your supply chain, Safeguard.sh helps prevent the kind of cascading compromise that turned a single contractor's MFA acceptance into a full organizational breach.