Uber Lapsus$ social-engineering breach

On 15 September 2022, Uber discovered that an attacker had penetrated deep into its internal network. The intrusion was striking not for its technical complexity but for how little of it was technical: the breach hinged almost entirely on social engineering and an MFA-fatigue attack, executed by an actor claiming to be 18 years old and later linked to the Lapsus$ group.

How the breach unfolded

The attacker began with a contractor's stolen credentials, most likely purchased on a dark-web marketplace after the contractor's personal device was infected with malware. Valid credentials alone were not enough — the account was protected by multi-factor authentication. So the attacker launched an MFA-fatigue (push-bombing) attack, triggering a barrage of login-approval notifications to the contractor's phone for more than an hour.

When the notifications failed to stop, the attacker contacted the contractor on WhatsApp, posing as Uber IT support, and claimed the prompts would only cease if the contractor approved one. Worn down, the contractor approved a push — and the attacker was in.

Escalation

Initial access to one contractor account would normally be a contained problem. What turned it into a near-total compromise was a lateral-movement windfall: the attacker discovered PowerShell scripts on an internal network share that contained hardcoded administrative credentials for Uber's privileged access management system (Thycotic).

Those credentials were a master key. With them, the attacker gained access to:

• Uber's AWS environment
• Google Workspace (G-Suite)
• Slack, where the attacker posted a message announcing the breach to the entire company
• The HackerOne bug-bounty dashboard — potentially exposing unpatched vulnerabilities reported to Uber
• Internal finance and vSphere tooling

The attacker also reconfigured Uber's OpenDNS to display a graphic image on some internal sites, a theatrical flourish characteristic of Lapsus$.

Impact and containment

Uber took internal tools offline and engaged its incident-response process. Critically, the company's investigation concluded that the attacker did not access the production systems that run Uber's apps, any user accounts, or the databases storing sensitive user information. No customer-payment or trip data was confirmed stolen. The attacker did download some internal Slack messages and information from an internal finance-invoicing tool.

Uber publicly attributed the breach to an actor affiliated with Lapsus$, the same group behind 2022 intrusions at Microsoft, Cisco, Samsung, Nvidia, and Okta. The group's members included U.K. teenager Arion Kurtaj, later found responsible by a London court for the Uber intrusion among others.

Why it matters

The Uber breach is the canonical demonstration that multi-factor authentication is not a panacea. Push-based MFA, in particular, is vulnerable to fatigue attacks where the human — not the cryptography — is the weak link. The incident drove widespread adoption of number-matching MFA and phishing-resistant FIDO2/WebAuthn factors that cannot be approved by a single tap.

Equally important was the escalation path: hardcoded admin credentials sitting in a PowerShell script on a reachable file share turned a single compromised contractor into a full-environment breach. The case is now a standard teaching example for secrets-management hygiene — credentials belong in a vault with access controls and rotation, never in scripts on a network share — and for the principle that an initial foothold should never grant standing access to the keys of the entire kingdom.