Uber Breach 2022
On September 15, 2022, an attacker affiliated with the Scattered Spider threat ecosystem breached Uber's corporate network and announced the compromise inside Uber's own internal Slack workspace.
# Uber Breach 2022
Definition
On September 15, 2022, an attacker affiliated with the Scattered Spider threat ecosystem breached Uber's corporate network and announced the compromise inside Uber's own internal Slack workspace. The attacker was 18 years old. The breach required no technical vulnerability. It required a phone number, a willingness to send repeated push notifications, and the ability to convincingly impersonate an IT support employee over text message.
The attacker gained access to Uber's AWS environment, Google Cloud Platform, Slack workspace, HackerOne vulnerability reporting program, and multiple internal tools. The entire sequence from initial credential purchase to posting the breach announcement in Uber's all-engineering Slack channel took approximately two hours. Total time required for technical exploitation of any Uber system: zero. The attacker never exploited a vulnerability in Uber's infrastructure. Every access point was opened through social engineering and the abuse of legitimate authentication mechanisms.
The breach did not originate from a nation-state actor with advanced persistent threat capabilities. It originated from a teenager who purchased stolen credentials, read a publicly documented attack technique, and executed it against a company with 26,000 employees and a multi-billion dollar security budget.
The Uber 2022 breach is the reference case for two specific control failures that have since driven mandatory changes across the industry: reliance on push-based MFA and the storage of privileged credentials in accessible file shares.
Scale: Full administrative access to AWS, GCP, Slack, and HackerOne. Exposure of undisclosed vulnerability reports covering all active Uber products. Complete compromise achieved in approximately two hours. No technical vulnerabilities exploited.
How It Happened
The Uber breach followed a sequence that has since been replicated by Scattered Spider and its affiliates against dozens of major organizations. Each step is documented and each step was preventable.
Step 1: Credential Acquisition
The attacker purchased credentials for an Uber contractor on a dark web marketplace. Credential markets in 2022 offered access to millions of corporate accounts harvested through information-stealing malware, phishing campaigns, and prior breaches. The contractor's username and password were not obtained through any attack against Uber. They were obtained because the contractor's credentials had previously been compromised elsewhere and were available for purchase. The attacker paid a nominal fee for access that would have cost significantly more in time and resources to obtain through direct attack.
This is the current threat landscape baseline: credential theft operates at industrial scale through secondary markets. An organization's perimeter defense is partially dependent on the security hygiene of every individual who has access credentials to that organization's systems.
Step 2: MFA Fatigue
Uber's systems were protected by MFA using push notifications through an authentication app. When the attacker attempted to log in with the contractor's stolen credentials, the authentication system sent a push notification to the contractor's phone. The notification presented two options: Approve or Deny.
The attacker did not attempt to intercept or bypass the MFA system technically. Instead, the attacker sent the push notification repeatedly, one after another, over an extended period. Simultaneously, the attacker sent text messages to the contractor impersonating Uber IT support staff. The message explained that the repeated notifications were the result of a security issue that Uber IT was investigating, and that the contractor needed to approve one notification to allow the security team to resolve the problem.
The contractor approved the push notification.
This technique is called MFA fatigue or MFA push bombing. It exploits the human response to repeated alerts: the desire to make them stop. Combined with a social engineering pretext that reframes approval as the correct action, MFA fatigue converts a security control into an access mechanism for the attacker.
Step 3: VPN Access and Internal Pivot
With the approved MFA push, the attacker connected to Uber's corporate VPN as the contractor. This placed the attacker inside Uber's internal network with the access level of a contractor account. The attacker began exploring accessible internal resources.
Step 4: Hardcoded Credentials in a PowerShell Script
The attacker located an internal network file share accessible from the contractor's account. Inside the file share were PowerShell scripts used for administrative automation. One of these scripts contained hardcoded credentials for Uber's Privileged Access Management (PAM) platform, Thycotic.
The PAM platform is specifically designed to vault and protect privileged credentials. Its security model depends on privileged credentials being accessed through the PAM vault, with full audit logging and access controls. The hardcoded credentials in the PowerShell script bypassed every control in the PAM system entirely. The attacker now had administrative access to the credential vault that contained credentials for Uber's most sensitive systems.
Step 5: Full Environment Access
Using the PAM admin credentials, the attacker extracted stored credentials for AWS, Google Cloud Platform, Slack, and Uber's HackerOne account. The HackerOne access was particularly significant: Uber's HackerOne program contained all active, undisclosed vulnerability reports submitted by external security researchers. Each open report represented a known, unpatched vulnerability in an Uber product. The attacker had access to a complete catalog of Uber's unresolved security issues.
Step 6: The Slack Announcement
The attacker posted a message in Uber's #all-engineering Slack channel announcing the breach and claiming to have accessed all of Uber's internal systems. The message included screenshots of AWS, GCP, and Slack access as evidence. Employees initially believed it was a joke. It was not. Within hours, the breach was confirmed and reported by multiple technology news outlets.
Why It Matters
The Uber 2022 breach demonstrated that MFA push notifications do not satisfy the "phishing-resistant" standard. This distinction matters operationally, not just academically. Many organizations consider MFA deployment a completed control. The Uber breach established that push-based MFA creates a new attack surface: the human being on the receiving end of the push.
FIDO2 hardware security keys and passkeys are phishing-resistant because the authentication token is cryptographically bound to the specific domain and device. There is no human approval step. There is no prompt to intercept or manipulate. The attacker who obtained Uber contractor credentials and attempted to replay them against a FIDO2-protected system would have received a simple authentication failure with no social engineering opportunity.
The PAM failure is equally instructive. PAM platforms are expensive, complex enterprise tools deployed specifically to protect privileged credentials. A single PowerShell script with a hardcoded PAM admin password negated the entire investment. This failure pattern, privileged credentials stored in accessible automation scripts and configuration files, appears in a significant percentage of breach investigations. It represents the gap between what an organization intends its security architecture to do and what developers and administrators actually do when they need to make a script run.
The HackerOne access created a secondary breach. Every undisclosed vulnerability in Uber's products was exposed to a threat actor with demonstrated willingness to exploit access. Uber had to treat every open HackerOne report as compromised, requiring accelerated remediation timelines across all active research submissions.
The identity of the attacker, an 18-year-old, is operationally significant because it removes the nation-state framing from the threat model. Organizations that build threat models around advanced persistent threats and state-sponsored actors often discount the capability of unsophisticated actors to cause catastrophic damage. The techniques used in the Uber breach are documented, accessible, and do not require technical expertise. They require social confidence and a willingness to attempt them. Scattered Spider subsequently used the same playbook against MGM Resorts, Caesars Entertainment, and multiple other major organizations.
CDA Perspective
The Uber breach maps cleanly to two PDM domains, with the IAT domain bearing the primary weight and TID representing the detection failure that allowed the attacker to operate without interruption.
IAT: Identity Access and Trust
The Zero Possession Architecture (ZPA) methodology addresses both failure points in the Uber breach at a foundational level. ZPA's core principle is "Trust nothing. Possess nothing. Verify everything." Applied to the specific control failures in this breach:
The push-based MFA failure is a ZPA issue because the authentication mechanism could be manipulated through social engineering. ZPA requires authentication mechanisms that do not depend on human judgment at the approval moment. FIDO2 authentication bound to verified device and domain removes the approval step entirely, replacing it with a cryptographic handshake that cannot be socially engineered. Mission IAT-H01 (phishing-resistant MFA rollout) is the specific operational mandate that addresses this control gap, specifying FIDO2 as the required standard for privileged and external-facing authentication contexts.
The hardcoded PAM credentials represent a ZPA violation at the most fundamental level. "Possess nothing" means credentials do not exist in configuration files, scripts, or file shares. Secrets management platforms with dynamic credential injection allow automation scripts to request credentials at runtime through an authenticated API call rather than carrying static credentials embedded in the script itself. The attacker who found the PowerShell script would have found no credentials to extract because no credentials would have existed in the file. Mission IAT-H02 (PAM implementation) and Mission IAT-H03 (credential vault enforcement) address this directly: IAT-H02 establishes the PAM architecture, and IAT-H03 provides the scanning and enforcement capability to find and eliminate hardcoded credentials before they become the breach vector.
Mission IAT-R01 (identity infrastructure assessment) is the reconnaissance phase that finds the existing hardcoded credentials problem before an attacker does. A systematic credential scan across the internal network file shares that the contractor account could access would have surfaced the PowerShell script containing PAM credentials. The fix is trivial once the exposure is known. The Uber failure was not a lack of available remediation options. It was a lack of the visibility to know the problem existed.
Mission IAT-B02 (MFA deployment review) examines the current MFA deployment across the organization and classifies authentication methods by phishing resistance. Push-based MFA receives a downgrade recommendation with a migration timeline to FIDO2 for high-value access points. This review would have identified contractor VPN access as a high-value context requiring phishing-resistant authentication.
TID: Threat Intelligence and Defense
The Predictive Defense Intelligence (PDI) methodology requires detection capability calibrated to attacker behavior, not attacker identity. The Uber attacker's behavior inside the network produced observable signals that a functioning detection program would have flagged.
MFA push bombardment generates an authentication anomaly: the same account triggering dozens of push notifications in a short time window, followed immediately by a successful authentication. This pattern is not consistent with legitimate user behavior. A SIEM rule that flags excessive push notifications against a single account within a short time window would have generated an alert before the contractor approved the fatigue attempt. The alert would have allowed the security team to contact the contractor directly and identify the social engineering in progress.
After VPN access, the attacker's behavior inside the network represented additional anomalies: a contractor account accessing a file share containing administrative scripts, extracting credentials from those scripts, and then initiating PAM access and subsequent cloud platform access within minutes. The velocity and breadth of access are not consistent with contractor workflow patterns. Behavioral analytics tuned to baseline contractor access patterns would have flagged this sequence for investigation.
Mission TID-H01 (detection rule tuning) addresses both the MFA bombardment signature and the lateral movement behavioral pattern. Deployed against Uber's authentication logs and network activity, these rules would have produced alerts at two separate points in the attack chain: before credential approval and before PAM access.
Key Takeaways
Push-based MFA is not phishing-resistant MFA. The industry distinction between phishing-resistant (FIDO2, hardware keys, passkeys) and phishing-susceptible (SMS, TOTP, push) is no longer academic. MFA fatigue is a documented, repeatable technique used by multiple threat groups against large organizations with significant security investments. Organizations still relying on push-based MFA for privileged access or contractor VPN are operating a control that can be bypassed with a text message.
Secrets in files are not secrets. A credential stored in a PowerShell script, a configuration file, a GitHub repository, or a file share is an accessible credential for anyone who can reach that storage location. Secrets management platforms with dynamic credential injection exist specifically to eliminate this pattern. Credential scanning tools can identify hardcoded secrets across file systems and code repositories before an attacker finds them first.
PAM is only as strong as its credential security. Privileged Access Management platforms protect privileged credentials inside the vault. They do not protect credentials that exist outside the vault. A hardcoded PAM admin password in a script bypasses every control in the PAM system. The value of a PAM investment depends on enforcing that all PAM access goes through the vault, which requires active scanning for bypass patterns.
Contractors carry the same risk as employees. The contractor's credentials were the initial purchase. The contractor's phone received the MFA push. The contractor's VPN access provided the internal foothold. Contractor account security must meet the same standards as employee account security. Third-party access with lower security requirements creates a deliberate weak point.
The attacker's age is irrelevant. The technique is what matters. The same MFA fatigue and credential-in-script pattern used by an 18-year-old against Uber was subsequently used by organized criminal groups against casino operators and telecommunications companies. The technique's effectiveness does not require technical sophistication. It requires the target to have not closed the gaps.
Related Articles
- Multi-Factor Authentication
- Privileged Access Management
- Social Engineering
- Zero Trust Architecture
- Identity and Access Management
- Credential Management
- Threat Detection and Response
- Insider Threat and Contractor Risk
Sources
- Uber Security, "Security Incident September 2022," Uber Newsroom, September 2022. https://www.uber.com/newsroom/security-update/
- CISA, "Cybersecurity Advisory AA22-335A: Scattered Spider," November 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- Verizon, "2023 Data Breach Investigations Report," Verizon Business, 2023. https://www.verizon.com/business/resources/reports/dbir/
- Microsoft Threat Intelligence, "Octo Tempest Crosses Boundaries to Facilitate Extortion, Encryption, and Destruction," Microsoft Security Blog, October 2023. https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- Unit 42, "Threat Group Assessment: Muddled Libra," Palo Alto Networks, 2023. https://unit42.paloaltonetworks.com/muddled-libra/
- KrebsOnSecurity, "Teen Who Masterminded Uber Hack in 2022 Gets 3 Years in Prison," 2024. https://krebsonsecurity.com/2024/08/teen-who-masterminded-uber-hack-in-2022-gets-3-years-in-prison/
Sources
- Uber Security Update, 'Security Incident,' September 2022
- CISA Advisory AA22-335A, 'Scattered Spider,' November 2022
- Verizon Data Breach Investigations Report, 2023
- Microsoft Security Blog, 'Octo Tempest Threat Actor Profile,' October 2023
- KrebsOnSecurity, 'Teen Who Hacked Uber in 2022 Sentenced to Three Years,' 2024
- Unit 42, 'Threat Group Assessment: Muddled Libra,' Palo Alto Networks, 2023
Related Articles
Written by Evan Morgan
Found an issue? Help improve this article.