Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack

The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractors credentials, as researchers parse the incident for takeaways.

Uber has attributed last weeks massive breach at Uber to the notorious Lapsus$ hacking group and released additional details on the attack. Researchers say the incident has highlighted the risks that can come from trusting too much in multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.
In an update on Monday, Uber laid out the attribution: We believe that this attacker (or attackers) are affiliated with a hacking group called
Lapsus$
, which has been increasingly active over the last year or so. Ubers announcement pointed to other companies that had been targeted by the notorious gang via similar techniques, including Cisco, Microsoft, Nvidia,
Okta
, and Samsung,
Lapsus$ has
attracted considerable attention
in recent months for its brazen attacks on some of the worlds largest and well-known companies. One well-known tactic that the group has been known to use is co-opt MFA-circumventing tools into its attack chain.
And indeed, Uber on Monday said the attacker who
breached its network
last week had first
obtained the VPN credentials of an external contractor
, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time.
After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.
The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack, says Duncan Greatwood, CEO of Xage. It’s a technique in which hackers send multiple authentication approval requests to a secondary device like a mobile phone, in hopes that a user unintentionally provides access, or grows so frustrated that they eventually approve a request.
Once in, the attacker
breached multiple internal systems
, and Uber is currently in the process of doing an impact analysis, the company said: The attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.
The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers. The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Ubers finance team uses to manage invoices. Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.
Greatwood describes MFA fatigue attacks as being a very effective tactic for breaching target organizations. He says his company has observed attackers typically sending frequent MFA requests in the middle of the night or sending less frequent requests over a few days.
Either way, in traditional MFA architectures, all it takes is just one approved request for a hacker to access internal systems, from which they can further infiltrate the target organization, he says.
Ubers security practices are sure to come under scrutiny because of the breach. But the reality is that the company was the victim of practices that are common to many organizations, researchers note.
Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFAs strength as a method to secure access.
Although MFA adds a critical second layer of security to your accounts, the biggest misconception about MFA is that all forms are equally secure, he says.
One example of how MFA can fail is SIM card porting, aka
SIM-swapping
, Tiquet notes. This is where attackers port a mobile number to a SIM card or device that they control to receive SMS messages or phone calls for the target number.
Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets, Tiquet says. The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts.
Security researcher Bill Demirkapi explains that another very common misconception is that standard forms of MFA — such as push, touch, and mobile — protect against social engineering. The reality is that MFA remains vulnerable to man-in-the-middle (MitM) attacks, he says.
He notes that best practices include using phishing- and MiTM-resistant forms of MFA rather than time-based one-time passwords (TOTP), not centralizing access keys, and rotating keys regularly. On the latter point, organizations also often do not limit access keys to the minimum privileges required for the keys intended purpose.
Uber may not have followed best practices, but many other companies dont either, he says. The main point Id like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well.
It should be noted that the Uber breach is not the only high-profile hit in the last few days; the same Lapsus$ hacker who claimed responsibility in that incident (or at least someone using the same Teapot alias that the Uber hacker used) now appears to have also breached
Take-Two Interactives Rockstar Games
, posting videos of an early development copy of the Grand Theft Auto 6 video game. In a message, the company
acknowledged the breach
and said it was extremely disappointed to have details of the game leaked in advance of its release.
MFA is not the only weak link for many companies. At a higher level, breaches like the one at Uber show the impact that rapid cloud services adoption and distributed work models are having on enterprise security strategies, says Russell Spitler, co-founder and CEO of Nudge Security.
The move to a more distributed model has increased enterprise reliance on asynchronous communications tools such as Slack and WhatsApp in business-critical environments, he says. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.
The recent breach at Uber points to the fact that security orgs are outpaced by the sprawling complexity of modern, distributed IT environments and sprawling digital supply chains, Spitler notes. This complexity creates opportunities for even the most novice of threat actors to gain access using compromised credentials and [finding] their way to critical assets.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack