Breach Teardown
What Caused the Uber Breach?
The 2022 Uber intrusion chained two classic identity failures. An MFA-fatigue attack wore down a contractor into approving a push prompt, and a PowerShell script on an internal network share contained hardcoded administrator credentials for the privileged access management platform, the vault holding the keys to everything else.
- Scale
- Broad internal system access; no evidence of sensitive user data theft (per Uber)
- Attack vector
- MFA fatigue, then hardcoded PAM admin credentials on a share
- IAM domains implicated
- Auth/SSO, PAM, Security
- Domino controls hit
- 2 of 4
The Incident
What Happened
In September 2022, an attacker later linked in reporting to the Lapsus$ extortion group gained access to Uber’s internal environment. Per Uber’s security update, the attacker likely purchased a contractor’s corporate password on the dark web after the contractor’s personal device was infected with malware. Repeated login attempts triggered a stream of MFA push notifications; the contractor eventually accepted one, and the attacker was in.
What turned a single contractor account into a company-wide incident was privilege escalation through exposed secrets. As widely reported and reflected in security-community analyses, the attacker found a network share containing PowerShell scripts, one of which included hardcoded administrator credentials for Uber’s privileged access management platform. Control of the PAM system yielded elevated access to tools including AWS, Google Workspace, and Slack.
The intrusion became public in the most embarrassing way available: the attacker announced themselves in the company’s Slack. Uber stated it found no evidence that the attacker accessed sensitive user data like trip histories or payment card numbers.
Attack Chain
How the Attack Compounded
Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.
Malware on a contractor’s personal device leads to their corporate password being sold on the dark web.
Repeated MFA push prompts plus a social-engineering message wear the contractor down into approving a login.
AUTH-04
Inside the VPN, a network share scan turns up PowerShell scripts with hardcoded PAM administrator credentials.
PAM-02
The PAM platform’s admin access unlocks secrets for AWS, Google Workspace, Slack, and more.
PAM-01
The attacker roams broadly and self-announces in Slack. Detection did not end the intrusion; the intruder did.
SEC-03
Control Mapping
The IAM Controls That Failed
Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.
| Control | Domain | Capability | How it failed here |
|---|---|---|---|
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | Push-based MFA without number matching or phishing-resistant factors is vulnerable to prompt-bombing by design. The control actually being tested is the human approving the hundredth prompt at 2am. |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | Administrator credentials for the secrets vault itself were hardcoded in a script on a broadly readable share: the single most valuable secret in the company, stored in the least controlled way available. |
| PAM-01 Domino | PAM | Admin Credential Protection | PAM admin access functioned as a skeleton key with no compensating isolation. One credential yielded standing, unmonitored elevation across cloud, SaaS, and collaboration tooling. |
| SEC-03 | Security | User Behavioral Analytics (UBA) | A contractor account traversing network shares, authenticating to the PAM console, and fanning out across cloud consoles is a behavioral outlier on every axis. The intrusion surfaced through the attacker’s Slack post, not analytics. |
The Maturity Lesson
What Would Have Changed the Outcome
The Domino Effect
PAM-02, secrets management, is a domino control, and Uber is the case that explains it. Maturity everywhere else stopped mattering once a vault-admin credential sat in plaintext on a share. The AXIS domino cap encodes that dynamic: a level-0 answer on secrets management caps the whole program, because in a real attack the weakest secret becomes the whole security posture.
The Maturity Level That Mattered
At level 2 on PAM-02, credential scanning across repositories and shares plus vault-enforced workflows would have found or prevented the hardcoded credential. At level 2 or 3 on AUTH-04, number matching or FIDO2 factors make prompt-bombing structurally ineffective rather than a matter of user stamina.
The chain also shows why assessments weight the intersection of controls. MFA fatigue got the attacker in, but exposed secrets got them everything. Scoring authentication and secrets management independently, then letting the lowest domino cap the total, mirrors how the attack actually compounded.
Related Compliance Frameworks
The controls implicated in this breach carry citations in these frameworks within the AXIS bank:
Sources
About This Analysis
This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Uber. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Uber.
More From the Breach Radar
Would Your Program Have Caught This?
The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.