ThreatLink
Uber Breach and MFA Fatigue
4 avr. 2025
I’m Etienne — passionate about tech, cybersecurity and entrepreneurship . ThreatLink is a monthly newsletter that breaks down real-world cyberattacks involving third-party tools, vendors, and supply chains. Each edition covers one major incident with clear, actionable insights for CISOs, security leaders, and the broader cyber community.
You can find my newsletter directly here
In September 2022, Uber suffered a high-impact security breach that exposed critical internal systems. This wasn't the result of sophisticated malware or zero-day exploits, but rather a combination of valid credentials, human error, and social engineering. The entry point? A third-party contractor with privileged access. One of the key techniques used was what we now commonly refer to as "MFA Fatigue."
This post breaks down, step by step, how the attacker infiltrated Uber's environment, what systems were accessed, who the attacker was, and the broader organizational impact of the incident.
The Initial Entry Point
The attacker obtained valid credentials belonging to a third-party contractor working for Uber. This contractor had access to Uber’s internal network via VPN, protected by multi-factor authentication (MFA) using push notifications (Duo Security).
Step-by-Step: How MFA Fatigue Was Used
With the valid credentials in hand, the attacker began a targeted push notification attack, exploiting the way many MFA systems rely on user approval via mobile app:
The attacker started spamming push notifications to the contractor's phone by continuously attempting to log in through Uber’s VPN.
These notifications were sent in rapid succession—dozens, possibly hundreds—causing confusion and disruption, especially since they arrived during the middle of the night.
When the contractor didn’t respond, the attacker escalated the social engineering.
The WhatsApp Message
The attacker obtained the contractor’s personal phone number and sent a message via WhatsApp, impersonating Uber’s IT support team.
The message read something like:
"Hi, this is Uber IT support. We’re experiencing a bug with the login system and need you to accept the MFA notification so it can be reset. Once you accept it, the notifications will stop."
Presented as an urgent, late-night IT support issue, this message lowered the contractor’s guard. Under pressure, and probably fatigued and confused, the contractor approved the next push notification.
At that moment, the attacker was granted full VPN access to Uber's internal network.
See the end of the article directly on ThreatLink