Three Lessons from the Uber Breach

On the 15th of September, 2022, Uber announced that it was hacked.

Speaking to The New York Times, Sam Curry, a software security engineer at Yuga Labs, “They [the hacker] pretty much have full access to Uber. This is a total compromise, from what it looks like.”

A breach of this size on a household name company should not have happened. Uber is a huge company that spends heavily on security, and this isn’t its first major data compromise. In 2016 cybercriminals stole data on 57 million people, and Uber paid a $100,000 ransom to prevent this data from being publicized. So how did it fall victim to another major breach? 

To hack Uber in 2022, threat actors took advantage of Uber’s weak multi-factor authentication (MFA) deployment. Sending a phishing text to an employee’s personal phone number, the attacker successfully bypassed the company’s authentication processes.

Employee PII Exposure + Weak MFA Driving Major Breaches

The Uber breach, which might have been the work of a hacker from the Lapsus$ extortion group, began with the attacker getting their hands on an Uber contractor’s credentials. According to Uber, the credentials were more than likely bought on the dark web.

The hacker then tried to use the contractor’s credentials to log into an account connected to Uber’s network. However, due to Uber using MFA, they were initially unsuccessful. Each time the hacker tried to access the contractor’s account, the contractor received an MFA login approval request, blocking account access. 

Rather than giving up, the hacker contacted the contractor directly on WhatsApp, claiming to be Uber IT support. The contractor then accepted the MFA request, giving the hacker access to their account. From here, the hacker was able to escalate privileges and move laterally within Uber’s IT environment. At this point, it was game over for Uber.

This type of social-engineering man-in-the-middle (MITM) attack is becoming more common among cybercriminals. And it is often used to bypass badly-implemented MFA. 

For example, last month, Group-IB released a report on a text-based phishing campaign called 0ktapus that compromised more than 130 companies. Sent directly to employees, the phishing texts contained a fraudulent Okta login page that asked targets to enter their credentials and two-factor authentication (2FA) codes. 

These attacks were responsible for breaches at companies like Twilio, Klaviyo, and MailChimp. In Twilio’s case, threat actors sent phishing texts to both employees and employees’ family members. 

Data brokers are one potential source for personal employee phone numbers criminals use to carry out these attacks. We know that cybercriminal groups use data broker databases to identify potential targets and even find contacts to “name drop” in phishing attacks. 

Three Takeaway Lessons from the Uber Breach

MFA undoubtedly makes IT environments more secure. However, the key point to remember here is that not all MFA is equal. As the Uber breach shows, no organization should rely entirely on knowledge-based MFA as an authentication process — especially if it doesn’t have any internal trust barriers. 

1. PII is an attack vector. With employee personally identifiable information (PII), including their phone numbers, easily obtainable on the open web, bypassing ineffective MFA is frequently only a matter of crafting a convincing phishing lure. 
   
2. Zero trust has never been more important. If a company doesn’t have a “zero trust” security environment (Uber didn’t), there’s nothing stopping hackers from accessing resources with more credentials baked into them. They can then move deeper into the rest of the corporate network in search of high-value assets. 
   
3. FIDO2 MFA is critical. For companies that want to minimize the risk of ending up in the same position as Uber, Twilio, and so many others, investing in better MFA—one that is FIDO2 (passwordless authentication open standard) compliant—is a must. Backed by major tech companies like Google, Microsoft, and Apple, FIDO2 bypasses the risks of easy-to-steal credentials and weak MFA.