Uber MFA Fatigue: How Push-Bombing Broke a Contractor's Account

Incident summary

Uber Technologies operates ride-sharing and delivery platforms used in over 70 countries. On September 15, 2022 an external actor posted to Uber's company-wide Slack channel announcing the breach, then reconfigured Uber's OpenDNS so internal sites displayed an explicit image. Uber acknowledged the incident publicly the next day.

Per Uber's September 19 and September 22, 2022 statements, the actor began with credentials of an Uber EXT contractor obtained from a credential marketplace. The contractor had MFA enabled. The actor sent repeated push prompts and contacted the contractor on WhatsApp claiming to be Uber IT, telling the contractor that approving one of the push prompts would stop the notifications. The contractor approved a prompt.

Uber attributed the attack to Lapsus$, the same group behind earlier 2022 breaches at Microsoft, NVIDIA, Samsung, and Okta. Uber stated that no customer data, trip history, or financial information was accessed. The attacker did reach Uber's internal Slack, Google Workspace, AWS, vSphere, HackerOne, and Thycotic PAM environments.

Attack technique

MITRE ATT&CK maps the operation to T1078 (Valid Accounts) for the contractor credential, T1621 (Multi-Factor Authentication Request Generation) for the push-bombing, and T1566.003 (Phishing: Spearphishing via Service) for the WhatsApp message. T1621 was added to ATT&CK in October 2022 partly in response to this incident, formalizing what practitioners had been calling MFA fatigue or push bombing.

After approval of the MFA push, the actor authenticated to Uber's VPN as the contractor. Per security researcher Corben Leo's communication with the actor, network reconnaissance found a PowerShell script on an internal network share containing hardcoded administrative credentials for Uber's Thycotic Privileged Access Management (PAM) deployment. Authenticating to PAM gave the actor secrets to many other systems.

The technique chain illustrates the multiplicative effect of MFA fatigue. A single approved push by a contractor with limited privilege escalated through a hardcoded admin secret to the central PAM, which by design held credentials to the most sensitive systems. The PowerShell script with embedded credentials was the secondary failure that turned a contractor compromise into a privileged compromise.

Impact and consequences

Uber confirmed access to internal systems including Slack, Google Workspace, AWS, vSphere, HackerOne, and Thycotic PAM. Uber stated that customer data, trip history, and financial information were not accessed. HackerOne reports submitted to Uber were viewed by the actor, raising downstream risk for unpatched vulnerabilities disclosed through the bug bounty program. HackerOne rotated affected report visibility settings.

Lapsus$ broke the public assumption that 'MFA stops phishing.' The 2022 series of Lapsus$ incidents at Microsoft, NVIDIA, Samsung, Okta, and Uber consistently used social engineering plus MFA fatigue rather than technical exploits. The pattern moved Microsoft to introduce number-matching MFA in Authenticator (general availability February 2023), Google to release Advanced Protection enrollment expansion, and CISA to publish push-fatigue guidance.

MITRE ATT&CK formalized T1621 in October 2022. CISA's October 2022 advisory on phishing-resistant MFA recommended hardware tokens (FIDO2/WebAuthn) over push-based MFA, treating push as a transitional control. Phishing-resistant MFA mandates began appearing in federal guidance in early 2023, including OMB M-22-09 enforcement updates.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Push-based MFA is a transition technology, not a destination. The Uber incident demonstrated that push prompts at human-acceptable volumes degrade after about a dozen requests. FIDO2 hardware tokens or platform passkeys with origin binding eliminate the entire fatigue attack surface.

Number matching mitigates push fatigue without hardware tokens. Microsoft Authenticator number matching, Duo Verified Push, and Okta Verify with number challenge force the user to type a number the application provides, defeating blind approval. These features are now defaults at most identity providers but require explicit enablement.

Hardcoded credentials in scripts on file shares are a tier-zero control failure. The Uber actor escalated through a PAM admin secret stored in a PowerShell script. Credential scanning of source repositories, file shares, and CI environments using tools like TruffleHog, GitLeaks, or vendor-native scanning catches this pattern.

Contractor identity is enterprise identity. The contractor who approved the push was an EXT (external) account with effective enterprise privileges. Joiner-Mover-Leaver hygiene, MFA enforcement, and access review cadence for contractors must match employee controls, not be relaxed because the relationship is external.

Tabletop the 'attacker has helpdesk-equivalent access' scenario. Lapsus$ tradecraft consistently abuses human helpdesk and contractor relationships. Tabletop exercises that assume social engineering succeeded expose where the second defensive layer fires. Most environments discover the second layer is missing.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/soc-analyst
• /cybersecurity/careers/security-architect

Related Decipher Files

• Okta Sitel Sub-Processor: Lapsus$ Reaches an Identity Provider via a Contractor
• MGM Resorts Scattered Spider: Social Engineering as a Weapons Platform

Frequently asked questions