Uber — 2016 cover-up + 2022 social-engineering breach

What happened

Uber appears in this catalogue twice because its security history contains two distinct incidents, separated by six years, that each introduced something new to the field.

The 2016 incident involved attackers finding AWS credentials on a public GitHub repository, using them to download data belonging to 57 million riders and drivers, and demanding a $100,000 ransom for non-disclosure. Uber paid — through HackerOne’s bug-bounty infrastructure, labelling the payment as a legitimate bug report, which it was not — and then concealed the breach from regulators and affected users for more than a year. The cover-up was disclosed in November 2017 by new CEO Dara Khosrowshahi. Uber’s former CISO, Joseph Sullivan, was subsequently convicted in October 2022 of obstruction of justice and misprision of a felony — the first US criminal conviction of a Chief Information Security Officer for decisions made during breach response.

The 2022 incident was technically separate and involved different attackers. A Lapsus$ affiliate purchased credentials belonging to an Uber contractor on the dark web and used MFA fatigue — a relentless stream of authentication push notifications — to trick the contractor into approving access. Once inside, the attacker found a file on an internal network share containing hard-coded admin credentials for Uber’s privileged access management (PAM) system. Those credentials cascaded access across Uber’s internal environment. The attacker subsequently posted in Uber’s internal Slack announcing the breach, posted screenshots to the @UberComms Twitter account, and submitted a report to HackerOne — the same bug-bounty programme Uber had misused to pay the 2016 ransom.

How it worked

2016: Exposed credentials on GitHub. A developer working on Uber’s infrastructure had inadvertently committed AWS access keys into a GitHub repository. The repository was either public or otherwise accessible to the attackers. The credentials were valid and had not been rotated. Attackers used them to authenticate to AWS and locate an S3 bucket containing rider and driver data — including names, email addresses, phone numbers, and in the case of drivers, driving-licence numbers. 57 million records were downloaded. The attackers, Brandon Glover and Vasile Mereacre, contacted Uber demanding payment. Uber security leadership, including Sullivan, facilitated a payment through HackerOne’s platform and required the attackers to sign non-disclosure agreements — treating a criminal extortion as if it were a legitimate vulnerability report. The breach was not disclosed to the FTC, which had an existing consent order with Uber relating to an earlier privacy matter, or to affected users.

2022: MFA fatigue and hard-coded credentials. The attacker — an 18-year-old in the UK subsequently identified as part of the broader Lapsus$ network — purchased credentials for an Uber contractor account from a dark-web marketplace. The credentials alone were insufficient because the account was protected by multi-factor authentication. The attacker resolved this by sending continuous MFA push notifications to the contractor’s phone. After more than an hour of repeated prompts, the contractor approved one — either by accident or in the belief that doing so would stop the notifications. The attacker then contacted the contractor on WhatsApp, posing as an Uber IT employee, and confirmed the approval.

With authenticated access, the attacker began enumerating internal systems. On a shared network drive, they found a PowerShell script that contained hard-coded admin credentials for Thycotic — Uber’s privileged access management system. PAM systems are designed to store and manage privileged credentials; getting admin access to Thycotic meant getting access to the credentials it managed. The attacker used these to reach Uber’s AWS console, GCP environment, vSphere infrastructure, Slack workspace, HackerOne programme (where they could view sensitive bug reports), and various internal engineering tools. Uber confirmed that no rider or driver data was exfiltrated in the 2022 incident.

Timeline

2016 incident:

• October 2016 — Attackers access Uber’s GitHub and find valid AWS access keys. S3 bucket containing 57M user and driver records downloaded.
• November 2016 — Attackers contact Uber. CISO Joseph Sullivan facilitates $100K payment via HackerOne, disguised as a bug bounty. NDAs signed. Breach not reported to FTC.
• November 2017 — Incoming CEO Dara Khosrowshahi discloses the breach publicly. Uber fires Sullivan.
• August 2020 — DOJ indicts Sullivan for obstruction.
• October 2022 — Sullivan convicted on two federal counts. Sentenced in 2023 to three years’ probation.

2022 incident:

• September 2022 — Attacker purchases contractor credentials on dark web; runs MFA fatigue attack. Contractor approves MFA prompt after sustained bombardment.
• 15 September 2022 — Attacker finds Thycotic admin credentials in PowerShell script on internal share. Accesses AWS, GCP, vSphere, Slack, HackerOne. Posts announcement in Uber’s #announcements Slack channel.
• 15–16 September 2022 — Uber detects breach, takes systems offline, engages FBI and DOJ.
• September 2022 — Uber publishes incident statement confirming breach, stating no user data exfiltrated.
• Late 2022 — UK attacker linked to broader Lapsus$ network, arrested and subsequently convicted as part of that investigation.

What defenders should learn

The 2016 breach offers two lessons that remain fully current. The first is that secrets in version control are a perennial, high-prevalence vulnerability. Developers committing access keys, passwords, or API credentials to repositories — public or private — is among the most common initial-access vectors in cloud environment breaches. Automated secret-scanning on all commits, both at commit time and retroactively across repository history, is a standard available control that many organisations have not deployed. GitHub itself offers this; third-party tools extend coverage further. No credential that has ever appeared in a repository should be considered safe until it has been rotated.

The second 2016 lesson is about breach response governance. Sullivan’s conviction is not simply a cautionary tale about personal legal exposure. It is a marker for an expectation that breach response decisions — including ransom payment decisions, notification decisions, and decisions about what to tell regulators — will be judged by a legal standard, not only an operational one. Security leaders and their legal and executive colleagues should have pre-agreed escalation paths and documented decision-making records for any significant incident. The label applied to a payment — “bug bounty” rather than “ransom” — is not a legally operative distinction if the underlying facts are those of a ransom.

The 2022 breach illustrates two separate failure modes. MFA fatigue — the use of push-notification flooding to wear down a target until they approve a malicious request — is a known and well-documented attack. The defence is straightforward: use phishing-resistant MFA (hardware keys or passkeys) rather than push notifications for any account with access to sensitive systems. Push-based MFA is better than no MFA, but it is not resistant to a motivated attacker with the target’s username and password in hand.

The hard-coded credentials in a PowerShell script on a shared drive are a separate failure. Credentials written into scripts, configuration files, or shared documents are a fundamentally insecure pattern — they propagate to everywhere the file is copied, cannot be rotated without finding every copy, and are invisible to monitoring systems that track credential usage through the authentication system. Centralised secrets management — a vault that issues temporary, scoped credentials on request rather than permanent secrets in files — is the architectural answer. Finding hard-coded credentials in the environment is also the kind of thing that thorough purple-team or red-team exercises surface. The attacker found this file quickly; an internal red team should have found it first.