Cyber Incident Victim: Uber Technologies Inc.
Date:
Sep 2022
Location:
United States of America
Summary
A threat actor affiliated with the Lapsus$ group compromised the company through a contractor's stolen credentials, employing an MFA fatigue attack to gain initial access. After infiltrating employee accounts and escalating privileges, the attacker accessed internal tools like G-Suite and Slack, posting messages in company-wide channels and altering OpenDNS configurations to display images on internal sites. The breach exposed confidential information including invoices and HackerOne vulnerability reports, though production systems storing sensitive user data were not accessed. The company maintained operational public services while responding by disabling compromised accounts, rotating access keys, locking down code repositories, and enhancing internal monitoring. The same attacker separately claimed responsibility for breaching a video game studio, leaking source code and assets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 16, 2022, Uber experienced a security breach involving unauthorized access to its internal systems. The attacker, identified by Uber as affiliated with the Lapsus$ extortion group, gained initial entry by compromising the credentials of an Uber EXT contractor. The attacker employed a multi-factor authentication (MFA) fatigue attack, repeatedly sending two-factor login requests until the contractor accepted one, bypassing security controls. This method aligned with Lapsus$'s known tactics, previously used against Microsoft, Cisco, NVIDIA, Samsung, and Okta. After gaining access, the threat actor moved laterally within Uber’s network, compromising additional employee accounts to escalate privileges. The elevated access enabled the attacker to reach critical internal tools, including G-Suite and Slack. The intruder posted a message to a company-wide Slack channel and altered Uber’s OpenDNS configurations to display a graphic image on internal sites, signaling their presence. Uber’s public-facing services, including Uber Eats and Uber Freight, remained operational throughout the incident.
Uber’s investigation found no evidence of access to production systems storing sensitive user data. The company responded by identifying and disabling compromised accounts, rotating access keys to internal services, locking down its codebase, and enforcing re-authentication for restored access. Monitoring of internal environments was enhanced to detect further anomalies. The breach exposed confidential information, including internal invoices and vulnerability reports from Uber’s HackerOne bug bounty program, though all referenced vulnerabilities had been remediated. Separately, the attacker claimed responsibility for breaching Rockstar Games around the same time, leaking source code and in-game footage. Uber maintained that no customer data or critical infrastructure was compromised, attributing the incident’s containment to rapid response measures and existing security protocols.