Featured Article

How do you stop another Uber hack?

Lapsus$ hackers strike again with a new MFA attack


Uber logo outside its headquarters in San Francisco.
Image Credits: Justin Sullivan (opens in a new window) / Getty Images

Ride hailing giant Uber says its services are operational following a “cybersecurity incident” last week that saw a hacker break into the company’s network and access systems that store vast troves of customer data.

Uber said little about the incident until Monday. Screenshots of inside Uber’s network posted to Twitter by security researchers in conversations with the hacker showed access to internal dashboards, the company’s Slack and its HackerOne accounts. Uber said in its Monday update that the hacker stole some internal information and Slack messages, but that no sensitive information — like credit card data and trip histories — was taken, leaving open the question if other personal user information was compromised.

The hacker, who claims to be an 18-year-old, told security researchers that they broke into Uber’s systems by stealing an employee’s password and also tricking the employee into approving the attacker’s push notification for Uber’s multi-factor authentication, or MFA.

Once they had that critical foothold on Uber’s network, the hacker claimed to find a network share containing high-privilege credentials that allowed them near-unfettered access to the rest of the company’s systems.

Uber said Monday that the hacker, who was affiliated with Lapsus$, a group that hacked Okta, Microsoft, Nvidia, Globant and Rockstar Games earlier this year, compromised an Uber contractor’s user account. Uber said it briefly took down some internal tools following the breach and that customer support operations were “minimally impacted and are now back to normal.”

Uber’s final incident post-mortem may not be known for some time, but security experts are already dissecting how the hacker got access to Uber’s systems to begin with — by defeating the company’s MFA security with apparent ease.

Not all MFA options — that extra step you have to complete after entering your username and password to verify that it’s really you logging in and not an attacker — are created equal; some are stronger than others. Codes sent by text messages, which can be intercepted or stolen, have largely been fazed out in favor of mobile authenticator apps that churn out constantly rotating random codes or send out push notifications that are near-impossible to intercept. But as attacks are getting smarter, some of the strongest MFA protections are being defeated by exploiting vulnerabilities in human behavior.

If one of the world’s biggest companies can be breached this way, how do you protect against another Uber hack?

How did the hacker defeat MFA?

According to researchers, the employee’s credentials may have been stolen by password-stealing malware like RedLine installed on an employee’s computer. Lapsus$ is also known to use Redline to steal employee passwords. Uber said the hacker may have bought the stolen passwords from a marketplaces on the dark web.

Once stolen, the hacker had to defeat Uber’s multi-factor authentication, which adds an additional barrier to prevent attackers from using stolen credentials to break into a company’s network.

In a conversation posted to Twitter, the hacker confirmed they socially engineered their way into Uber’s network by using the stolen credentials to send repeated push notifications to the employee for over an hour, then “contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it,” the hacker said. “And well, he accepted and I added my device,” the hacker wrote.

This is what some call MFA fatigue, where hackers take advantage of employees having to repeatedly log in and re-authenticate their access throughout the work day by flooding the employee with push notifications, often outside working hours, in the hopes that eventually the employee accepts a login request out of exasperation.

Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, said MFA fatigue attacks are one of the “easiest ways” to get past MFA to hack an organization.

“Yes, sometimes MFA fatigue looks like repeat requests while the victim is sleeping until they accept, but oftentimes it’s as simple as sending the request 10 times in a row at the beginning of the workday or just obnoxiously spamming requests during a meeting until the victim accepts,” Tobac told TechCrunch.

After tricking the employee into accepting the push notification, the hacker could then send MFA push notifications as if they were the employee, granting them persistent access to Uber’s network.

What’s the fix?

Security experts universally agree that any level of MFA is better than none, but MFA is not a panacea on its own. Uber is not the only company to have used multi-factor authentication and still have its network compromised.

In 2020, hackers broke into Twitter’s network by tricking an employee into entering their credentials into a phishing page they had set up, which the hackers used to generate a push notification sent to the employee’s devices. The employee accepted a prompt, allowing the attackers in, according to an investigation by New York’s state government. More recently, SMS messaging giant Twilio was compromised by using a similar phishing attack, and Mailchimp was also hacked by a social engineering attack that tricked an employee into handing over their credentials.

All of these attacks exploit weaknesses in multi-factor authentication, often by directly targeting the individuals involved, rather than looking for security flaws in these highly audited systems.

Cloudflare is the only company targeted in a recent spate of cyberattacks that blocked a network compromise because it uses hardware security keys, which cannot be phished. In a blog post, Cloudflare admitted that while some employees “did fall for the phishing messages,” its use of hardware security keys, which require employees to physically plug in a USB device to their computers after entering their credentials, stopped the attackers from breaking into its network. Cloudflare said the attack targeted employees and systems in such a way “that we believe most organizations would be likely to be breached.”

Security keys are seen as the gold standard of MFA security but they are not without their own challenges, not least the costs of the keys and their upkeep. “We spend our time arguing about the necessity of hardware security keys for all, but in the field some organizations are still fighting for mandatory SMS two-factor authentication or MFA prompts for internal access,” said Tobac.

While MFA by randomly generated code or push notification are by no means perfect, as evidenced by Uber’s breach, “we can’t let perfect be the enemy of the good,” Tobac says. “Small improvements over time make a big difference.”

“The biggest questions I’m getting from organizations right now are about how to configure already existing MFA tools to limit the attack methods we are seeing in the Uber, Twilio and Twitter hacks,” Tobac said. “It’s a lot of helping organizations think through small improvements that can be made quickly so they don’t get stuck debating updates for months (or even years) internally.”

One important improvement making the rounds is MFA number matching, which makes social engineering attacks far more difficult by displaying a code on the screen of the person logging in and having to enter that code into an app on the person’s verified device. The idea is that the attacker would need both the target’s credentials and their verified device, similar to that of a security key.

Microsoft, Okta and Duo offer MFA number matching. But as noted by security researcher Kevin Beaumont, Microsoft’s solution is still in preview and Okta’s number matching offering is bundled in an expensive licensing tier. Uber relies on Duo for MFA, but reportedly was not using number matching at the time of its breach.

“In other news you are seeing a bunch of teens reinvent the cybersecurity industry in real time,” Beaumont tweeted.

Network defenders can also set up alerts and limits for how many push notifications a user can get, Tobac said — and noted in a Twitter thread — and start by rolling out security keys to a test group of users with the aim of growing the group each quarter.

For its part, Uber said on Monday that it was strengthening its MFA policies in response to its breach.

As for how the hacker got access to high-privilege credentials for the rest of its critical systems using just a contractor’s stolen password, Uber might still have a lot to answer for.

How two-factor authentication can protect you from account hacks

More TechCrunch

Some startups choose to bootstrap from the beginning while others find themselves forced into self funding by a lack of investor interest or a business model that doesn’t fit traditional…

VCs wanted FarmboxRx to become a meal kit, the company bootstrapped instead

Uber and Lyft drivers in Minnesota will see higher pay thanks to a deal between the state and the country’s two largest ride-hailing companies. The upshot: a new law that…

Uber and Lyft’s ride-hailing deal with Minnesota comes with a cost

Andreessen Horowitz’s American Dynamism fund has established a new fellowship program aimed at introducing top engineers and technologists to venture investing, a move that could help the firm identify less…

a16z’s American Dynamism team launches program to introduce technical minds to VC

Another fintech startup, and its customers, has been gravely impacted by the implosion of banking-as-a-service startup Synapse. Copper Banking, a digital banking service aimed at teens, notified its customers on…

Teen fintech Copper had to emergency discontinue its banking, debit products

Autodesk — the 3D tools behemoth — has acquired Wonder Dynamics, a startup that lets creators quickly and easily make complex characters and visual effects using AI-powered image analysis. The…

Autodesk acquires AI-powered VFX startup Wonder Dynamics

Farcaster, a blockchain-based social protocol founded by two Coinbase alumni, announced on Tuesday that it closed a $150 million fundraise. Led by Paradigm, the platform also raised money from a16z…

Farcaster, a crypto-based social network, raised $150M with just 80K daily users

Microsoft announced on Tuesday during its annual Build conference that it’s bringing “Windows Volumetric Apps” to Meta Quest headsets. The partnership will allow Microsoft to bring Windows 365 and local…

Microsoft’s new ‘Volumetric Apps’ for Quest headsets extend Windows apps into the 3D space

The spam reached Bluesky by first crossing over two other decentralized networks: Mastodon and Nostr.

The ‘vote Trump’ spam that hit Bluesky in May came from decentralized rival Nostr

Welcome to TechCrunch Fintech! This week, we’re looking at the continued fallout from Synapse’s bankruptcy, how Layer wants to disrupt SMB accounting, and much more! To get a roundup of…

There’s a real appetite for a fintech alternative to QuickBooks

The company is hoping to produce electricity at $13 per megawatt hour, which would be more than 50% cheaper than traditional onshore wind.

Bill Gates-backed wind startup AirLoom is raising $12M, filings reveal

Generative AI makes stuff up. It can be biased. Sometimes it spits out toxic text. So can it be “safe”? Rick Caccia, the CEO of WitnessAI, believes it can. “Securing…

WitnessAI is building guardrails for generative AI models

It’s not often that you hear about a seed round above $10 million. H, a startup based in Paris and previously known as Holistic AI, has announced a $220 million…

French AI startup H raises $220M seed round

Hey there, Series A to B startups with $35 million or less in funding — we’ve got an exciting opportunity that’s tailor-made for your growth journey! If you’re looking to…

Boost your startup’s growth with a ScaleUp package at TC Disrupt 2024

TikTok is pulling out all the stops to prevent its impending ban in the United States. Aside from initiating legal action against the U.S. government, that means shaping up its…

As a US ban looms, TikTok announces a $1M program for socially driven creators

Microsoft wants to put its Copilot everywhere. It’s only a matter of time before Microsoft renames its annual Build developer conference to Microsoft Copilot. Hopefully, some of those upcoming events…

Microsoft’s Power Automate no-code platform adds AI flows

Build is Microsoft’s largest developer conference and of course, it’s all about AI this year. So it’s no surprise that GitHub’s Copilot, GitHub’s “AI pair programming tool,” is taking center…

GitHub Copilot gets extensions

Microsoft wants to make its brand of generative AI more useful for teams — specifically teams across corporations and large enterprise organizations. This morning at its annual Build dev conference,…

Microsoft intros a Copilot for teams

Microsoft’s big focus at this year’s Build conference is generative AI. And to that end, the tech giant announced a series of updates to its platforms for building generative AI-powered…

Microsoft upgrades its AI app-building platforms

The U.K.’s data protection watchdog has closed an almost year-long investigation of Snap’s AI chatbot, My AI — saying it’s satisfied the social media firm has addressed concerns about risks…

UK data protection watchdog ends privacy probe of Snap’s GenAI chatbot, but warns industry

U.S. cell carrier Patriot Mobile experienced a data breach that included subscribers’ personal information, including full names, email addresses, home ZIP codes and account PINs, TechCrunch has learned. Patriot Mobile,…

Conservative cell carrier Patriot Mobile hit by data breach

It’s been three years since Spotify acquired live audio startup Betty Labs, and yet the music streaming service isn’t leveraging the technology to its fullest potential — at least not…

Spotify’s ‘Listening Party’ feature falls short of expectations

Alchemist Accelerator has a new pile of AI-forward companies demoing their wares today, if you care to watch, and the program itself is making some international moves into Tokyo and…

Alchemist’s latest batch puts AI to work as accelerator expands to Tokyo, Doha

“Late Pledge” allows campaign creators to continue collecting money even after the campaign has closed.

Kickstarter now lets you pledge after a campaign closes

Stack AI’s co-founders, Antoni Rosinol and Bernardo Aceituno, were PhD students at MIT wrapping up their degrees in 2022 just as large language models were becoming more mainstream. ChatGPT would…

Stack AI wants to make it easier to build AI-fueled workflows

Pinecone, the vector database startup founded by Edo Liberty, the former head of Amazon’s AI Labs, has long been at the forefront of helping businesses augment large language models (LLMs)…

Pinecone launches its serverless vector database out of preview

Young geothermal energy wells can be like budding prodigies, each brimming with potential to outshine their peers. But like people, most decline with age. In California, for example, the amount…

Special mud helps XGS Energy get more power out of geothermal wells

Featured Article

Sonos finally made some headphones

The market play is clear from the outset: The $449 headphones are firmly targeted at an audience that would otherwise be purchasing the Bose QC Ultra or Apple AirPods Max.

8 hours ago
Sonos finally made some headphones

Adobe says the feature is up to the task, regardless of how complex of a background the object is set against.

Adobe brings Firefly AI-powered Generative Remove to Lightroom

All cars suffer when the mercury drops, but electric vehicles suffer more than most as heaters draw more power and batteries charge more slowly as the liquid electrolyte inside thickens.…

Porsche Ventures invests in battery startup South 8 to boost cold-weather EV performance

Scale AI has raised a $1 billion Series F round from a slew of big-name institutional and corporate investors including Amazon and Meta.

Data-labeling startup Scale AI raises $1B as valuation doubles to $13.8B