We use cookies to ensure you get the best experience on our website.

The Uber Hack and MFA fatigue

By Connor Cameron — Published

It’s not every day that a $60 billion company loses control of its own systems, especially not when the culprits are a group of teenage hackers.

Earlier this month, Uber released a statement that they were dealing with a potential security threat. More information was gradually released indicating that someone (later identified as a member of teenage cybercriminal gang LAPSUS$) had gained administrative access to the guarded internal portals of Uber. The access extended to the company’s GSuite, AWS, Slack, and supposedly their OneLogin; a holy grail in terms of getting complete access to company accounts.

LAPSUS$ was supposedly responsible for the Microsoft and Okta hacks earlier this year, but neither allowed anywhere near the same level of access. Realistically a company of the size and caliber of Uber, particularly considering the massive amount of confidential data they supposedly protect, should not let themselves get into such a situation, so how did it happen?

It came down to a strategy known as MFA fatigue.

It’s a form of social engineering where the hacker pressures an employee into granting access to a rogue computer by peppering them with multi-factor authentication requests. It ain’t complicated but it sure works.

After a slew of MFA requests was sent to the employee, backed up by a supposed co-worker explaining to the said employee that simply authenticating one of the login attempts would put an end to the notification misery, a couple of clicks let the hacker walk through Uber’s front door, so to speak.

With the internal access, the teen scanned the intranet to find administrative access keys in a PowerShell script. What followed was truly bizarre.

As if part of some twisted game of skill, the hacker announced himself in Uber’s Slack with the line: “Hi @here I announce I am a hacker and Uber has suffered a data breach”. They released company financials and reportedly replaced internal pages with pictures of genitalia, a reference to Uber being ‘wankers’. The message was capped off with an accusation that Uber underpays their drivers.

The true impact of the breach is yet to be determined, but it does highlight how easily a supposedly secure system can be hacked off the back of social engineering, and the importance of training employees to detect security vulnerabilities.