Uber Is Too Big to Accept a Teen’s Attack, Maybe That’s Why it Brought ‘Lapsus$’ in

Uber is too ashamed to admit that a teenager hacked its internal systems

The mastermind behind Uber's hacking last week has turned out to be an 18-year-old who was able to get into Uber's internal systems (including G-suite and Slack) thus putting the company through a data breach. The anonymous hacker came forward to the New York Times and told the outlet that he pretended to be an IT worker for Uber and sent an Uber employee a text message asking for his password which gave him access to the internal systems.

In particular, the company has released more information about how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor's account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.

Security experts have called this an "MFA fatigue" attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker's illegitimate login attempt.

Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cybercrime gang "LAPSUS$." It's not totally clear how Uber knows that.