Uber 2022: The Social Engineering Attack That Owned Everything
A Teenager Against an $80 Billion Company
On September 15, 2022, an 18-year-old attacker (later identified as a member of the Lapsus$ group) gained near-total access to Uber's internal systems. The attack did not exploit any sophisticated technical vulnerability. It was pure social engineering.
The Attack Chain
Step 1: Credential purchase. The attacker likely purchased an Uber contractor's credentials on the dark web. These credentials had been stolen during a previous malware infection.
Step 2: MFA fatigue. The attacker attempted to log into Uber's VPN, triggering MFA notifications (push notifications) on the victim's phone. They sent dozens of notifications for over an hour. The victim eventually accepted a notification to stop the harassment.
Step 3: Direct contact on WhatsApp. When MFA fatigue did not work immediately, the attacker contacted the victim on WhatsApp, impersonating Uber IT support, asking them to approve the notification.
Step 4: VPN access. With MFA approved, the attacker accessed Uber's internal network.
Step 5: Secret discovery. The attacker found a network share containing PowerShell scripts with hardcoded administrator credentials, including access to Thycotic (a secrets manager).
Step 6: Total access. Via Thycotic, the attacker obtained credentials for AWS, GCP, Google Workspace, Slack, the HackerOne bug bounty system, financial dashboards, and source code.
What the Attacker Did
The attacker posted a message on Uber's internal Slack announcing the compromise. They modified an internal company page and shared screenshots of internal systems. They also accessed Uber's bug bounty program on HackerOne, where they could read reports of unpatched vulnerabilities.
Why the Attack Worked
Push notification MFA is vulnerable to fatigue attacks. The user eventually accepts to stop the notifications.
Hardcoded credentials in scripts on a network share. This is the classic mistake that turns limited access into total compromise.
A secrets manager with overly broad access. Thycotic contained keys to all critical systems.
No effective network segmentation. From the VPN, the attacker could reach all internal systems without restriction.
Lessons
Replace push MFA with FIDO2/WebAuthn. Physical keys (YubiKey) or passkeys are not vulnerable to MFA fatigue.
Never store credentials in scripts. Use a secrets manager with rotated, segmented access.
Segment your network. VPN access should not grant access to all internal systems.
Train your teams on social engineering. The attack worked because a human accepted a notification.
Uber is a textbook example of how a single human error can compromise an entire company. CleanIssue verifies that your systems are resilient even if an individual account is compromised.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
SolarWinds 2020: The Supply Chain Attack That Changed Everything
Complete analysis of the SolarWinds Orion attack by Russian group Nobelium: method, impact on 18,000 organizations, and security lessons.
France Travail 2024: 43M French Citizens Leaked, What Really Happened
Technical breakdown of the France Travail data breach in 2024: how 43 million records were exposed, timeline, and lessons learned.
LastPass 2022: How a Vault Dump Became Years of Pain for Users
Analysis of the LastPass compromise in 2022: theft of encrypted vaults, long-term impact, and lessons on password management.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.