Uber's 2022 Breach: How an 18-Year-Old Social-Engineered Past MFA Using a Third-Party Contractor

On September 15, 2022, an 18-year-old attacker affiliated with the Lapsus$ hacking group gained broad access to Uber's internal systems by compromising the credentials of an external contractor. The attack, which used a technique known as MFA fatigue — bombarding the victim with multi-factor authentication push notifications until they accepted one — demonstrated that even sophisticated multi-factor authentication can be bypassed when third-party contractors are the weakest link. The breach exposed Uber's internal Slack communications, financial dashboards, vulnerability reports on HackerOne, and access to cloud infrastructure consoles.

How the Attack Unfolded

The attack began not with Uber directly, but with one of its external (EXT) contractors. According to Uber's own security update and subsequent reporting, the attacker likely purchased the contractor's Uber corporate credentials from the dark web, where they had been exposed after the contractor's personal device was infected with malware.

Armed with a valid username and password, the attacker attempted to log in to Uber's systems. Uber's MFA system prompted the contractor to approve the login via a push notification on their phone. The contractor initially did not approve the request. So the attacker tried again. And again. And again.

This technique, known as MFA fatigue (or MFA bombing), relies on the simple premise that if you send someone enough push notifications, they will eventually approve one — either by accident, out of frustration, or to make the notifications stop. In this case, the attacker also reportedly contacted the contractor on WhatsApp, impersonating Uber IT support and instructing the contractor to accept the MFA prompt. The contractor complied.

With MFA approved, the attacker was inside Uber's VPN and corporate network.

Lateral Movement and Access

Once connected to Uber's internal network, the attacker conducted reconnaissance and discovered a PowerShell script on a network share that contained hardcoded administrator credentials for Uber's privileged access management (PAM) system. This single discovery gave the attacker access to a wide range of Uber's internal systems:

• Slack: The attacker accessed Uber's internal Slack workspace and posted a message announcing the breach, which many employees initially assumed was a joke.
• HackerOne: The attacker accessed Uber's HackerOne bug bounty dashboard, which contained vulnerability reports submitted by security researchers — including reports that had not yet been patched. This represented a significant security risk, as the attacker could have used unpatched vulnerabilities for further exploitation.
• Cloud infrastructure consoles: The attacker accessed dashboards for Uber's Amazon Web Services (AWS), Google Cloud Platform (GCP), and VMware vSphere environments.
• Financial dashboards: Internal financial tools and expense management systems were accessible.
• Sentinel One: The attacker accessed Uber's endpoint security management console.

Uber stated in its security update that the attacker did not access production systems containing user data (such as trip history or payment card numbers), did not make changes to codebases, and did not access data stored in cloud providers. However, the breadth of internal access was extraordinary.

The Attacker: Lapsus$ and Arion Kurtaj

The attacker was later identified as a member of Lapsus$, a loosely organized hacking group that gained notoriety in 2022 for breaching multiple major technology companies, including Microsoft, Nvidia, Samsung, Okta, and Rockstar Games. A key member of the group, Arion Kurtaj, an 18-year-old from Oxford, England, was arrested and charged in connection with the Uber breach and a separate hack of Rockstar Games.

In August 2023, Kurtaj was found unfit to stand trial by a jury at Southwark Crown Court due to his autism diagnosis. The jury found he was responsible for the attacks, and in December 2023, he was sentenced to an indefinite hospital order. The case highlighted the evolving profile of cyber threat actors — Lapsus$ relied heavily on social engineering and credential theft rather than sophisticated technical exploits.

Why Third-Party Contractor Access Is a TPRM Priority

The Uber breach exposed systemic weaknesses in how organizations manage contractor access:

• Credential hygiene. The contractor's Uber credentials were available on the dark web, likely from a prior malware infection on a personal device. Organizations must monitor for compromised credentials associated with their contractor workforce.
• MFA method matters. Push-notification-based MFA is vulnerable to fatigue attacks. Phishing-resistant methods such as FIDO2 hardware security keys eliminate this attack vector entirely. TPRM programs should require that vendors and contractors use phishing-resistant MFA.
• Hardcoded credentials in scripts. The attacker escalated privileges by finding admin credentials in a PowerShell script. This is a well-known security anti-pattern, and secrets management should be part of both internal security and vendor risk assessments.
• Network segmentation for contractor access. Once inside the VPN, the attacker had broad lateral movement capability. Contractor VPN access should be segmented to limit access to only the systems required for their specific function.
• Contractor security training. The contractor who approved the MFA prompt may not have received the same phishing awareness training as Uber employees. TPRM programs should require vendors to demonstrate that their personnel receive regular security awareness training.

The Bigger Picture

The Uber breach of 2022 is a textbook case of how third-party access can undermine even well-resourced security programs. Uber had invested heavily in security infrastructure, including MFA, endpoint detection, and a bug bounty program. But the entire security posture was circumvented by a single contractor who approved a push notification.

For third-party risk management professionals, the lesson is clear: your security is only as strong as your weakest vendor's weakest contractor's weakest authentication method. TPRM programs that do not extend identity and access governance to the contractor workforce are leaving a door wide open.