TechEarl

The 2022 Uber Breach: MFA Fatigue and a Hardcoded Password

In September 2022, an attacker spammed an Uber contractor with MFA prompts, then messaged them on WhatsApp pretending to be IT to get one approved. Inside, they found a hardcoded admin password in a script that unlocked Uber's secrets vault. A post-mortem of the MFA-fatigue attack chain.

Ishan Karunaratne⏱️ 8 min readUpdated
Share thisCopied
How the 2022 Uber breach used MFA fatigue plus a WhatsApp pretext, then a hardcoded admin credential in a PowerShell script to reach the PAM vault. The lessons.

In September 2022, an attacker breached Uber's internal systems through a sequence that required almost no technical skill. They had an Uber contractor's corporate password, likely bought on the dark web after malware harvested it from the contractor's device. The password alone was not enough, because the account had multi-factor authentication, so the attacker spammed the contractor with login approval prompts. When that did not work, they messaged the contractor on WhatsApp claiming to be Uber IT and told them the prompts would stop if they approved one. The contractor approved. Inside Uber's network, the attacker found a PowerShell script on a shared drive with a hardcoded administrator password for Uber's privileged-access management system, the vault that held credentials for many of Uber's most sensitive systems. From there they had broad access, and they announced it by posting in Uber's internal Slack.

This is the canonical MFA fatigue case, and it is also a clean lesson in how a single hardcoded secret turns a limited foothold into broad privileged access.

The attack chain

Editorial illustration of the Uber breach: a phone buried under a storm of repeated approval notifications, a chat bubble of impersonation, an approval checkmark, and a master key slipping out of a script to open a vault of credentials.
MFA fatigue and a WhatsApp pretext to get in, then a hardcoded key in a script that opened the credential vault.

Every step here is ordinary. That is what makes it instructive.

  1. A stolen password. The attacker started with the valid corporate password of an external contractor. By Uber's own account it was likely purchased on a dark-web marketplace, having been stolen from the contractor's personal device by information-stealer malware. Reused and stolen credentials are the fuel for this entire class of attack.
  2. MFA fatigue. The contractor's account required MFA approval, so the password alone failed. The attacker repeatedly triggered login attempts, flooding the contractor's phone with approval prompts (push bombing). The contractor, correctly, kept declining.
  3. The WhatsApp pretext. When the prompts alone did not work, the attacker contacted the contractor on WhatsApp, posed as Uber IT support, and told them that to make the notifications stop they should approve one. The contractor approved a single prompt. That is all it took.
  4. The hardcoded credential. Now on Uber's VPN and internal network, the attacker searched network shares and, by the accounts widely reported from the attacker's own screenshots, found a PowerShell script containing a hardcoded administrator credential for Uber's privileged-access management (PAM) platform. A PAM vault exists to store and broker the credentials to everything else, so a single admin credential to it unlocked secrets across many internal systems.
  5. The announcement. Rather than stay quiet, the attacker posted a message in Uber's company-wide Slack and reportedly defaced internal dashboards, which is how the breach became public so quickly.

The two failures that mattered

The breach has a tidy structure: one failure let the attacker in, a second let the attacker reach everything.

The way in: MFA fatigue plus a pretext. Simple push-approval MFA asks a context-free yes/no question, and it relies on the user being both alert and stubborn every single time. The attacker defeated it not by breaking the cryptography but by combining annoyance (the flood of prompts) with a social-engineering nudge (the fake IT message). The contractor declined many prompts and approved one, and one is all an attacker needs.

The blast radius: a secret in plaintext. A foothold on the network of a company like Uber should be contained. What removed the containment was a hardcoded admin password sitting in a script on a share, pointing at the PAM vault. Hardcoded secrets are the quiet killers of breach response: they turn "the attacker is on one machine" into "the attacker has the keys to everything," and they are everywhere, in scripts, config files, CI pipelines, and code repositories.

Uber stated that it did not see evidence of access to its production systems handling sensitive customer data, and that the user accounts were not used to make changes to its codebase. The damage was primarily to internal systems and to confidence. But the chain shows how little stood between a phished prompt and the credential vault.

The attacker

Uber attributed the intrusion to the Lapsus$ group, a loosely organised crew known for exactly this style of low-sophistication, high-impact social engineering against large technology companies. The individual who claimed responsibility presented as a teenager. The same group and its members were the subject of UK prosecutions; Arion Kurtaj, linked to the wider Lapsus$ activity, was convicted in 2023. As with the Twitter and MGM cases, the operators were young and not technically elite. Their edge was persistence and a willingness to talk to a human.

The lessons I take from it

Number matching or, better, FIDO2. The specific fix for MFA fatigue is to remove the blind yes/no prompt. Number matching, where the user must type a number displayed on the login screen into their authenticator, defeats push bombing because the attacker does not know the number. Phishing-resistant FIDO2 hardware keys remove the prompt entirely. CISA published guidance pushing exactly this change in the wake of attacks like this one.

Get secrets out of scripts. The single most important code-hygiene lesson here: no hardcoded credentials in scripts, config, or repositories. Secrets belong in a managed vault, fetched at runtime with short-lived, scoped credentials, never pasted into a PowerShell file on a share where the next person to find it might not work for you. Scan your codebase and your file shares for secrets; you will find some.

Treat the PAM vault as the crown jewel. A privileged-access management system is, by design, the most concentrated risk in the environment. Access to it must be the most tightly controlled thing you have, with no standing admin credentials lying around and certainly none hardcoded.

Contractor access is real access. The foothold was a contractor's account, and it reached the same internal network as an employee's. Third-party and contractor identities need the same MFA strength, the same least-privilege scoping, and the same monitoring as staff, because to an attacker they are simply a way in.

Where to go next

This is the MFA-fatigue entry in the social engineering taxonomy. Its closest sibling is the MGM breach, which paired help-desk pretexting with the same identity-and-escalation pattern, and the Twitter hack, where real-time MFA relay (a cousin of MFA fatigue) led to over-powered internal tools. For the hardcoded-secret angle on the code-layer side, the broad lesson echoes the credential failures in the Heartland breach.

Sources

Authoritative references this article was fact-checked against.

TagsSecuritySocial EngineeringMFA FatigueUberLapsusCase Study

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

How the 2017 Equifax breach exploited an unpatched Apache Struts RCE (CVE-2017-5638) to steal 147M records, and how an expired cert blinded detection.
Security

The Equifax Breach: An Unpatched Bug and a Blind Sensor

In 2017, attackers exploited an unpatched Apache Struts remote code execution flaw to breach Equifax and steal the data of 147 million people. A patch had been available for months, and an expired certificate had blinded the network monitoring for 19 months. A post-mortem of the RCE attack chain and the failures around it.

Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, direct in the database, or email reset. Includes the WP 6.8+ bcrypt hash format.
WordPress

How to Change a WordPress Password

Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, directly in the database with the correct phpass or bcrypt hash, and the lost-password email reset.