Uber Breached via MFA Fatigue Attack on Contractor Account

Uber confirmed today that an external attacker — believed by the company to be associated with the Lapsus$ extortion crew — compromised an EXT contractor's account and used the access to enumerate Uber's internal infrastructure across Slack, Google Cloud Platform, Amazon Web Services, SentinelOne, OneLogin, and the company's HackerOne bug-bounty program.

The initial compromise was achieved through credentials harvested by infostealer malware on the contractor's personal device. The attacker then bypassed Uber's MFA requirement by sending repeated push-notification approval prompts to the legitimate user's mobile device — a technique known as MFA fatigue or push bombing — until the contractor approved one to make the notifications stop. The attacker also contacted the contractor via WhatsApp, impersonating IT and instructing them to approve the prompt.

Once inside, the attacker discovered a PowerShell script on an internal network share that contained hardcoded admin credentials for Thycotic, Uber's privileged-access management platform, granting broad access to additional internal systems.

"This is a textbook case of an environment that had defense-in-depth on paper but lacked it in practice," said Allison Wikoff, a senior threat analyst at PwC. "MFA push prompts without number matching, secrets in scripts, flat networks behind the perimeter — these are the recurring lessons we keep failing to learn."

Uber said no customer or driver data was accessed and that core infrastructure remained operational. The incident accelerated industry adoption of phishing-resistant MFA methods such as WebAuthn/FIDO2 and number-matching, and prompted Microsoft and others to disable push-only MFA approval by default in subsequent product updates.