.png)
Uber Breach 2022
Breach Summary
The Uber breach of 2022 is the definitive case study for social engineering and MFA bypass in the enterprise. Attackers with no sophisticated technical capability breached Uber's entire corporate infrastructure through a combination of purchased credentials, MFA fatigue, and vishing — then exfiltrated data from Uber's internal security tools, cloud environments, and code repositories.
What Happened
On September 15, 2022, an 18-year-old attacker affiliated with the Lapsus$ hacking group breached Uber's corporate environment. The attacker announced the breach on Uber's internal Slack channel. Uber's security team initially thought it was a joke. The attacker shared screenshots proving access to nearly every major Uber system. Uber shut down its internal tools and took systems offline. The company disclosed the breach two days later.
Attack Vector Detail
The attacker purchased Uber corporate credentials from the dark web. The account had MFA enabled. The attacker sent repeated MFA push notifications — the MFA fatigue technique — until the employee, confused and annoyed, approved one. The attacker then messaged the employee on WhatsApp claiming to be Uber IT, explaining the approvals were for a 'security check,' and the employee cooperated further.
From the initial access, the attacker found PowerShell scripts in internal file shares containing hardcoded Thycotic PAM credentials. Those credentials provided access to Uber's privileged access management system. From there, the attacker accessed virtually every internal system: AWS, GCP, HackerOne bug reports, Slack, Google Workspace, and Uber's internal security tools.
Breach Pattern Timeline
September 15, 2022
Attacker — an 18-year-old member of the Lapsus$ extortion group operating under the handle 'teapotuberhacker' — gains initial access to an Uber contractor's credentials purchased from a dark web initial access broker.
September 15, 2022
Attacker bypasses MFA via 'MFA fatigue' — sending repeated push notifications to the contractor's phone for over an hour, then social engineering the contractor by impersonating Uber IT via WhatsApp to convince them to approve the push.
September 15, 2022 (later)
Attacker discovers PowerShell scripts on Uber's intranet containing hardcoded admin credentials for Uber's PAM (privileged access management) tool, Thycotic. Escalates to administrative access across AWS, GCP, vSphere, SentinelOne, Slack, and HackerOne.
September 16, 2022
Attacker posts public messages on Uber Slack: 'I announce I am a hacker and Uber has suffered a data breach.' Posts screenshots of internal systems on Twitter and to security researchers.
September 17, 2022
Uber confirms the breach. Activates incident response. Slack and other internal systems briefly taken offline. The attacker had accessed HackerOne (Uber's bug bounty platform), potentially viewing unpatched vulnerability reports.
September 23, 2022
U.K. police arrest a 17-year-old in Oxfordshire on suspicion of being the Uber hacker. Same individual subsequently charged in connection with Rockstar Games breach.
October 2022
Uber CISO Joe Sullivan trial concludes — but for the SEPARATE 2016 breach concealment, not this one. Sullivan convicted of obstruction and misprision of felony.
April 2023
Uber settles with DOJ over 2016 breach concealment for $148M (settlement actually finalized in 2018; Sullivan's individual prosecution was post-settlement).
2023-2024
Uber implements phishing-resistant MFA, removes hardcoded credentials, enhances PAM oversight. The 2022 breach becomes a frequently-cited case study in MFA fatigue attacks and the limits of push-based MFA.
Total impact: Internal Uber systems including AWS, GCP, vSphere, SentinelOne, Slack, and HackerOne accessed by 18-year-old attacker via MFA fatigue + hardcoded credentials, foundational precedent for phishing-resistant MFA mandates and PAM credential hygiene.
Executive Lessons
The Uber breach demonstrated that Scattered Spider's vishing methodology was not specific to MGM or Caesars — it was deployed against Uber a year earlier with identical results. Any organization that has not redesigned its help desk identity verification to exclude knowledge factors available in breach databases is vulnerable to the same attack. The 18-year-old attacker's ability to access Uber's cloud infrastructure, code repositories, and security tools through a single social engineering chain reflects the danger of SSO-connected infrastructure without Conditional Access policies limiting the blast radius of compromised sessions.
Related Reading
Private Equity Implications
For PE-backed technology companies, the Uber breach illustrates that sophisticated infrastructure can be completely compromised through a combination of social engineering and credential hygiene failures that have nothing to do with technical sophistication. Hardcoded credentials in internal scripts represent a category of risk that is extremely common and often overlooked.