To fully understand the Uber Lapsus$ Breach 2022, it’s essential to examine both the target—Uber—and the threat actor—Lapsus$. This context reveals why Uber was a lucrative target and how Lapsus$ operates.

Uber is a global ride-hailing and food delivery company, operating in over 70 countries and managing vast amounts of sensitive data. Its digital infrastructure includes:

• Cloud services (AWS, Google Cloud Platform)
• Internal developer platforms (GitHub, Slack, Google Workspace)
• Customer and driver databases
• Payment processing systems

The complexity and scale of Uber’s systems make it a high-value target for cybercriminals seeking data or notoriety.

Lapsus$ is a cybercriminal group known for high-profile breaches, including attacks on Microsoft, Nvidia, and Okta. Unlike traditional ransomware gangs, Lapsus$ often seeks publicity and disruption rather than just financial gain. Their tactics heavily rely on social engineering and exploiting human vulnerabilities, as documented by CISA and BleepingComputer.

The Uber Lapsus$ Breach 2022 unfolded rapidly, demonstrating the effectiveness of MFA fatigue attacks and the need for swift incident response.

In September 2022, Lapsus$ gained initial access to Uber’s internal systems by targeting an external contractor. The attacker obtained the contractor’s credentials, likely through a combination of phishing and purchasing credentials from dark web marketplaces, as reported by CrowdStrike.

After acquiring valid credentials, the attacker initiated a barrage of MFA push notifications to the contractor’s device—a technique known as MFA fatigue. Eventually, the contractor, overwhelmed by the repeated prompts, approved one, granting the attacker access. Once inside, Lapsus$ escalated privileges by locating high-value credentials on Uber’s internal network and cloud storage.

Uber detected suspicious activity and initiated its incident response plan. The company disabled affected accounts, engaged cybersecurity experts, and notified law enforcement. Uber also provided public updates and worked to contain the breach, as detailed in their official statement.

MFA fatigue attacks have emerged as a significant threat, exploiting the very mechanisms designed to enhance security. Understanding this technique is crucial for effective defense.

MFA fatigue refers to the psychological exhaustion users experience when bombarded with repeated MFA push notifications. Attackers exploit this by sending numerous authentication requests, hoping the user will eventually approve one out of frustration or confusion. According to CISA, this method has become increasingly common in recent breaches.

Attackers typically:

• Obtain valid credentials via phishing, malware, or credential dumps
• Initiate a flood of MFA push requests to the victim’s device
• Rely on the victim’s annoyance or confusion to approve a request

This technique bypasses the intended security of MFA, as the human element becomes the weakest link.

MFA fatigue attacks have been implicated in several high-profile incidents, including breaches at Microsoft, Cisco, and Okta. The Microsoft Security Blog and CISA have both issued warnings about the rising prevalence of this attack vector.

The Uber Lapsus$ Breach 2022 illustrates how MFA fatigue, combined with social engineering, can compromise even well-defended organizations.

The primary attack vector was a combination of credential theft and MFA fatigue. The attacker:

• Acquired valid credentials for an external contractor’s account
• Launched a sustained MFA push attack
• Gained access when the contractor approved a request

Once inside, the attacker moved laterally, searching for privileged credentials and sensitive data.

Lapsus$ is notorious for its social engineering prowess. In this breach, tactics included:

• Impersonating IT staff to gain trust
• Sending convincing phishing messages
• Exploiting urgency and confusion to elicit cooperation

Social engineering remains a critical threat, as highlighted by SANS Institute.

The breach affected multiple systems, including:

• Uber’s internal Slack workspace
• Google Workspace and AWS accounts
• Internal dashboards and code repositories

While Uber stated that no sensitive customer data was compromised, internal documentation, engineering systems, and financial information were accessed. Forensic analysis by Mandiant confirmed the extent of lateral movement and data exposure.

The Uber Lapsus$ Breach 2022 had immediate and long-term consequences for Uber’s operations, data integrity, and reputation.

Uber temporarily disabled several internal tools and communication platforms to contain the breach. Employees were instructed to avoid using Slack and other affected systems. This disruption impacted business operations and delayed ongoing projects.

Although Uber reported that no sensitive user data (such as trip histories or payment information) was accessed, the attacker obtained:

• Internal documentation
• Source code repositories
• Financial and engineering data

The exposure of internal information could aid future attacks or be leveraged for competitive intelligence. Organizations can mitigate such risks by performing professional password audits and testing to identify and remediate credential vulnerabilities before attackers exploit them.

The breach attracted widespread media attention, damaging Uber’s reputation and eroding customer trust. Regulatory scrutiny increased, and Uber faced questions about its security posture and incident response. According to ISACA, such incidents can have lasting effects on brand value and customer loyalty.

The Uber Lapsus$ Breach 2022 offers critical lessons for organizations seeking to defend against MFA fatigue and social engineering attacks.

User education is paramount. Employees and contractors must be trained to recognize social engineering tactics and understand the risks of approving unsolicited MFA requests. Regular security awareness programs, as recommended by NIST, can reduce susceptibility to such attacks.

Organizations should:

• Implement phishing-resistant MFA methods, such as FIDO2 security keys
• Limit the number of allowed MFA attempts
• Monitor for abnormal authentication patterns

Guidance from CISA and OWASP emphasizes the importance of robust MFA configurations. For additional guidance on password policy best practices, organizations can further enhance their authentication security.

A well-practiced incident response plan is essential. Organizations should:

• Conduct regular tabletop exercises
• Ensure rapid detection and containment capabilities
• Establish clear communication channels for reporting suspicious activity

The FIRST and CIS offer frameworks for effective incident response.

Proactive measures can significantly reduce the risk of MFA fatigue attacks and similar breaches.

Key technical controls include:

• Phishing-resistant MFA: Use hardware tokens or biometric authentication
• Adaptive authentication: Analyze contextual signals (location, device, time)
• Rate limiting: Restrict the number of MFA requests per user per time frame
• Alerting: Notify users and security teams of unusual authentication activity

For more on technical controls, see CIS Controls and Microsoft Security Blog. To further reduce password-related risks, organizations can utilize bruteforce attack configuration best practices to understand and mitigate potential attack vectors.

Organizations should establish policies to:

• Limit the use of push-based MFA in favor of more secure methods
• Enforce strong password policies and regular credential audits
• Require immediate reporting of suspicious MFA activity

Policies should be regularly reviewed and updated in line with guidance from ISO/IEC 27001 and NIST. Additionally, organizations can benefit from understanding bruteforce attack limits and time calculations to assess the effectiveness of their password policies.

Continuous user education is vital. Training should cover:

• Recognizing and resisting MFA fatigue attacks
• Reporting suspicious requests promptly
• Understanding the importance of secure authentication

Resources from SANS Institute and CISA provide valuable training materials.

The Uber Lapsus$ Breach 2022 is a stark reminder that even advanced security measures like MFA can be undermined by human factors and social engineering. MFA fatigue attacks exploit psychological weaknesses, emphasizing the need for comprehensive security strategies that combine technical controls, robust policies, and continuous user education. By learning from this breach and implementing best practices, organizations can better defend against evolving threats and protect their critical assets.

• CISA: Understanding and Mitigating MFA Fatigue Attacks
• Uber Security Update
• CrowdStrike: Uber Breach and MFA Fatigue
• Microsoft Security Blog: Lapsus$ Attacks
• BleepingComputer: Lapsus$ Group Activity
• SANS Institute: Social Engineering
• Mandiant: Uber Breach Analysis
• ISACA: Uber Breach and MFA Fatigue
• NIST: Security Awareness Training
• OWASP: Authentication Cheat Sheet
• FIRST: Incident Response
• CIS: Incident Response and Management
• CIS Controls: Secure Configuration
• ISO/IEC 27001: Information Security Management
• NIST: Multi-Factor Authentication Basics
• SANS Institute: Security Awareness Training
• CISA: Secure Our World