Dark Perimeter: True Cybersecurity Stories
Every major cyberattack has a story behind it. A vulnerability no one patched. A phishing email someone clicked. A nation-state with a motive. Dark Perimeter goes beyond the headlines to explore the true stories of the hacks, breaches, and cyber operations that shaped history - told in narrative form for security professionals and curious minds alike. No guests, no panels, no filler. Just the story.
Dark Perimeter: True Cybersecurity Stories
One Phone Call
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In September 2022, a teenager broke into one of the world’s most valuable tech companies without writing a single line of exploit code. He bought stolen credentials on the dark web, flooded a contractor’s phone with authentication requests for over an hour, then sent a WhatsApp message pretending to be IT support. That was enough. Once inside Uber’s network, he found admin credentials sitting in a PowerShell script on a shared drive — and from there, he had access to everything: AWS, Google Workspace, Slack, bug bounty reports, and internal dashboards. He announced his success by posting on the company’s own Slack channel. This is the story of the 2022 Uber breach, MFA fatigue, and what it means that a phone call is still one of the most effective hacking tools ever invented.
It's a Thursday afternoon in september twenty twenty two. You work at Uber, you're a contractor, probably sitting at home or in an office somewhere, doing your job. Your phone starts buzzing. An authentication notification from Uber's security system. Someone is trying to log into your account. You didn't initiate it. You dismiss it. It buzzes again. And again and again and again. For over an hour your phone won't stop. Push notification after push notification, each one asking you to approve a login you didn't request, you keep dismissing them, you're frustrated, you're tired, you just want it to stop. Then you get a WhatsApp message from someone claiming to be from Uber's IT support team. They're very sympathetic. They explain that there's a technical issue with your account, and that the notifications will stop as soon as you approve one of them. You approve it. Within minutes, a teenager somewhere in the world is inside one of the most valuable tech companies on Earth. And a few hours after that, he posts a message on Uber's company wide Slack channel that reads, more or less, I announce I am a hacker. This is the story of the 2022 Uber Breach, one of the most complete corporate intrusions in recent memory, executed not with sophisticated malware, not with a nation state's resources, not with a zero day exploit. Just a phone call. And a tired contractor who wanted his notifications to stop. Welcome back to Dark Perimeter. I'm Cole Draden. Last episode we talked about Sony Pictures, a nation state with a political objective, months of patient intrusion, and the most destructive wiper malware ever deployed against an American company. Today we go in a very different direction, same catastrophic result, completely different method, and in some ways a more unsettling story. Because what happened to Uber in 2022 didn't require any of those things, it required one phone call. Before we get into Uber specifically, we need to talk about the group behind the breach. Lapsus dollar, spelled with a dollar sign, emerged as a major threat actor around late 2021 and exploded into notoriety through 2022. In a single year, they claimed breaches of Microsoft, Nvidia, Samsung, Okta, Cisco, Rockstar Games, and Uber, not small companies, not soft targets. The biggest names in the technology industry, one after another. What made Lapsus Dollar unusual wasn't their technical sophistication, it was almost the opposite. Security researchers were repeatedly struck by how unsophisticated their methods were, and how effective those methods turned out to be. Lapsus dollar made social engineering their primary weapon, calling employees, pretending to be IT support, bribing insiders, convincing people with legitimate access to just hand it over. While the rest of the security industry was focused on elaborate technical defenses, Lapsist was demonstrating, repeatedly and publicly, that you could bypass all of it by picking up a phone. The group appeared to be composed largely of teenagers. When UK authorities arrested seven members in connection with lapsis dollar activity in March 2022, the suspects ranged in age from 16 to 21. One member was reportedly a sixteen year old from Oxford. The attacker behind the Uber breach identified himself as an eighteen year old. He went by the handle teapot. He communicated openly with security researchers after the breach, explaining exactly what he'd done, and apparently finding the whole thing fairly entertaining. This is important context. Because when we talk about what happened at Uber, we're not talking about a shadowy intelligence agency or a sophisticated criminal syndicate. We're talking about a teenager who understood one thing that billion dollar companies kept forgetting. The most vulnerable component in any security system is a tired human being. The breach began, as so many do, with credentials. Uber's investigation concluded that the attacker obtained the login credentials of an external contractor, likely purchased from a dark web marketplace where stolen credentials are bought and sold like commodities. The contractor's personal device had at some point been compromised by infostealer malware, software that quietly harvests saved passwords and ships them out to whoever is operating it. This is not a rare scenario. Credential marketplaces on the dark web list billions of stolen logins. The going rate for a set of corporate credentials can be a few dollars, sometimes less. The economics of credential theft have made it one of the most cost effective entry points in the attacker's toolkit. So the attacker had a username and password, but Uber, like most large organizations, had multifactor authentication in place. Entering the right password wasn't enough. The account required a second approval, a push notification sent to the contractor's phone. MFA is supposed to stop exactly this scenario. Stolen credentials become useless if the attacker can't also control the second factor, and for most attackers, that's where the road ends. For this attacker, it was where the road got interesting. The technique the attacker used has a clinical name, MFA fatigue, sometimes called MFA bombing or push bombing. The concept is almost insultingly simple. If you can't approve an authentication request yourself, you make the legitimate account holder approve it for you. You do that by flooding their phone with push notifications until they either give up and approve one, make a mistake, or can be convinced by a follow-up social engineering call that approving one is the right thing to do. The attacker reportedly sent the contractor MFA push notifications for over an hour, one after another, nonstop. To understand why this works, you have to think about what that experience is like from the other side. You're trying to work. Your phone is being hijacked by a continuous stream of authentication requests. You've dismissed them, you've tried to ignore them, you're probably annoyed, maybe a little anxious, definitely distracted. The noise of it creates a kind of psychological pressure that compounds over time. Security researcher Kevin Beaumont, reflecting on laps' dollar tactics around this period, recalled an attacker explaining their philosophy like this. If you contact someone at one in the morning and call them a hundred times, they'll more than likely accept just to make it stop. But Teapot added a second layer. After the bombardment, he sent a WhatsApp message. He introduced himself as Uber IT Support. He told the contractor that the notification storm was a technical issue, and the only way to resolve it was to approve one request. Think about the psychology of that moment. You've been bombarded for an hour. Someone official sounding is now explaining the situation and offering a resolution. Your brain has been conditioned by an hour of friction to want this to be over. The contractor approved the request. The attacker was in. This is where the story shifts from social engineering to operational security failure, and where Uber's embarrassment deepens considerably. Once inside the contractor's account, the attacker began scanning the internal network. He was looking for what security professionals call privilege escalation paths, ways to move from a low privilege entry point to something with real power. He didn't have to look long. On an internal network share, a shared file storage area accessible to a broad range of employees, he found a PowerShell script, and inside that PowerShell script were hard-coded administrative credentials. Admin usernames and passwords sitting in plaintext in a script on a shared drive. With those credentials, the attacker had the keys to the kingdom. He gained access to Uber's Tychotic Privileged Access Management System, the platform that managed login secrets for essentially the entire company. From there, he could reach virtually everything AWS, Google Workspace, Duo, OneLogin, Slack, internal dashboards, vulnerability databases, bug bounty reports. Bug bounty reports deserve a specific mention. Companies run bug bounty programs to pay security researchers who find vulnerabilities, it's a legitimate and valuable practice. Those reports contain detailed documentation of every known unpatched vulnerability in the company's systems. Getting access to a bug bounty program's back end is the equivalent of someone handing you a map of every unlocked door in a building you're about to rob. The attacker now had that map. Security researchers who later analyzed the breach noted that despite the depth of access the attacker achieved, there was no evidence he exfiltrated or sold sensitive customer data. His apparent motivation was notoriety, not money. He wanted to prove he'd done it, he wanted the credit. And so he decided to make an announcement. Chell On september fifteenth, twenty twenty two, Uber employees started receiving messages on the company's internal Slack system. The attacker had posted to a company wide channel. The message declared, in terms that left nothing to interpretation, that Uber had been hacked. It included profanity. It named specific internal systems that had been compromised. And according to reports, several Uber employees initially thought it was a joke. It was not a joke. The attacker also reconfigured Uber's Open DNS system, their internal DNS filtering, to display an explicit image to employees who navigated to internal sites. This was not a subtle exit. Uber's security team began shutting down internal tools. They took Slack offline. They scrambled to assess what had been accessed and what the attacker still had visibility into. The same attacker, apparently energized by his success, then breached Rockstar Games the following weekend and leaked early footage from Grand Theft Auto six, one of the most anticipated games in history years before its planned release. The gaming world erupted, Teapot was later arrested, but the damage to Uber was done, and the questions it raised about enterprise security hadn't gone anywhere. Let's be precise about the failures here, because there were several layered on top of each other. Failure one, the contractor's personal device. The initial credential theft happened because a contractor's personal device was infected with malware. Contractor and third party security is a chronic blind spot for organizations. You invest heavily in securing your own employees, your own devices, your own network, and then you hand access to contractors who may have none of those protections on their personal machines. If you have extended network access, you are a target, regardless of your employment status. Failure two, push notification MFA. MFA is not all equal. Push notifications, where you simply tap approve on your phone, are the most convenient form of MFA and the most vulnerable to this exact attack. Phishing resistant MFA, like hardware security keys, or number matching authentication, where you have to type in a code you see on screen rather than just tap approve, would have made this attack significantly harder. The security community had been warning about push notification fatigue attacks for years before the Uber breach. Multiple high profile breaches had used the same technique. Uber was not the first. They should have known. Failure three Credentials in a script. This one is almost painful to say out loud. Finding administrative credentials hard coded in a PowerShell script on a shared network drive is a basic operational security failure. It's the kind of thing that gets caught in a security audit. It's the kind of thing that security teams specifically scan for. The fact that those credentials were sitting there, accessible to anyone who could get a foothold on the network, turned what could have been a contained breach into a complete compromise. Failure four least privilege The contractor account that was compromised should not have had access to the network share where those credentials were found. The principle of least privilege, giving users and accounts only the access they actually need to do their jobs, exists precisely to limit the blast radius when an account gets compromised. At Uber, that principle appears to have been applied inconsistently. Failure five, no anomaly detection on the MFA stream. Over an hour of continuous failed and successful MFA push notifications on a single account is a significant anomaly. A mature security operations center with behavioral alerting should catch that pattern and trigger an investigation well before the account is compromised. The fact that no automated alert appears to have fired, or if it did, no action was taken quickly enough, is a detection failure compounding the prevention failures, five distinct failures, each of which alone might have been survivable. Stacked together, they created a path a teenager could walk through in an afternoon. I want to step back from Uber specifically and talk about what this breach represents in a broader context, because the lessons extend well beyond one company. The year 2022 was, in many ways, the year the security industry was forced to confront the limits of the technical controls it had spent a decade building. Multifactor authentication had become the consensus answer to credential theft. Get MFA on everything. MFA will save you. And it's not wrong, MFA is dramatically better than passwords alone. But Lapsus Dollar demonstrated, at scale against some of the most sophisticated companies in the world, that MFA could be bypassed with a phone call and some patience. Okta, itself an identity and authentication company, the kind of company that exists specifically to prevent this type of breach, was compromised by Lapsus Dollar in early 2022. The company whose product is the lock got picked. The message that kept coming through was uncomfortable. Technical controls only work if the humans operating them behave in ways the controls assume they will. An MFA system assumes you won't approve a request you didn't initiate. A privileged access management system assumes nobody left the admin password in a script on a shared drive. A contractor access policy assumes the contractor's personal device isn't already compromised. Security is a system. Every layer depends on every other layer behaving as designed. When one layer fails, especially the human layer, the others can collapse in sequence. Lapsus dollar didn't break cryptography. They didn't reverse engineer kernel vulnerabilities. They called someone on WhatsApp and asked nicely.