The Breach Nobody Saw Coming
September 15, 2022. An 18-year-old hacker sent 40 push notification requests to an Uber employee's phone in under 30 minutes. The employee's screen lit up repeatedly — each one a prompt to approve a login attempt. Approve. Approve. Approve.
Then the hacker messaged the employee directly on WhatsApp, posing as Uber's internal IT security team: "I'm from Uber IT. You need to approve the notification to proceed." The employee, exhausted by the flood, approved one. That single tap handed the attacker full network access to one of the world's most valuable technology companies.
What followed was not a sophisticated zero-day exploit. There was no custom malware. No months-long infiltration. The attacker, linked to the cybercriminal group Lapsus$, was a teenager with a purchased credential and an understanding of how human psychology works under pressure.
"The attacker didn't break through Uber's security. They walked through a door that was left open by design."
How 40 Push Notifications Unlocked Everything
The attack began simply: stolen credentials purchased from the dark web for a few hundred dollars. The account had MFA enabled — a push notification system that should have been the last line of defense. It wasn't.
The problem wasn't MFA existing. It was how it was implemented. There was no throttling. No alert triggered after 10 failed attempts. No automatic account lock after 20. The system was designed to be convenient, not resilient. After 40 consecutive approval requests flooding the employee's phone, the employee approved one just to make it stop.
Once inside, lateral movement was effortless. The attacker found a PowerShell script sitting on Uber's internal network — hardcoded with admin credentials for the PAM tool managing access to AWS, G Suite, DUO, and OneLogin. With those credentials, everything was open. They accessed Uber's HackerOne bug bounty program, reading unpatched vulnerability reports. Then they announced the breach on Uber's internal Slack. The entire company watched it happen in real time.
Why MFA Is Not an Identity Strategy
Most organizations treat MFA as a finish line. Enable it, check the box, move on. Uber had MFA. It didn't matter.
MFA is a control, not a strategy. A control without implementation guardrails is a false perimeter — it creates confidence without creating security. Push notification MFA is the most widely deployed and the most susceptible to fatigue attacks. It relies on a human making a considered decision every single time, under every possible condition, including at 11pm when their phone won't stop buzzing.
The fix isn't removing MFA. It's replacing push-based approval with phishing-resistant alternatives that require cognitive engagement rather than a reflexive tap: FIDO2/WebAuthn hardware keys, passkeys, or number-matching prompts that force the user to verify what they're actually approving.
The Bigger Problem: Credentials Treated Like Secrets
The hardcoded PowerShell script was the catastrophe hiding inside the breach. Once the attacker had network access, they didn't need to crack encryption or escalate privileges through a complex exploit chain. They found admin credentials sitting in a script, in plaintext, accessible to anyone on the internal network.
This is one of the most common IAM failures in enterprise environments: credentials managed informally, stored in scripts, passed around in emails, never rotated. The secret was never secret. It was just hidden — and hiding something is not the same as protecting it.
The deeper issue is cultural. Engineering teams under delivery pressure take shortcuts. Hardcoding a credential "just for now" becomes permanent. Nobody owns the cleanup. The technical debt accumulates silently until an attacker finds it and collects on it all at once.
-
01
No MFA throttling or rate limiting 40 consecutive push requests should have triggered an automatic account lock and security alert. The system had no mechanism to recognize attack behavior in its own authentication flow.
-
02
Push-based MFA with no cognitive verification A single tap is all that separated full network access from a failed login attempt. Number-matching or hardware key authentication would have broken the fatigue attack entirely.
-
03
Hardcoded admin credentials in a PowerShell script Secrets management tools exist specifically to remove credentials from scripts and shared environments. This single script handed the attacker access to AWS, G Suite, DUO, and OneLogin simultaneously.
-
04
Excessive lateral movement without detection An attacker moved from a single compromised endpoint to the company's most sensitive systems without triggering behavioral alerts. No anomaly detection caught the pattern of access in real time.
How to Fix MFA Before It Fails You
Three changes that would have stopped this breach before the first push notification was approved:
Replace push MFA with phishing-resistant authentication. FIDO2/WebAuthn, passkeys, and number-matching prompts eliminate the cognitive bypass that fatigue attacks exploit. If an employee has to read a number, match it to what's displayed on their login screen, and type it back — the attack fails. There is no way to fatigue someone into completing a step that requires active engagement with specific information.
Implement rate limiting and behavioral alerts on authentication attempts. 40 MFA requests in 30 minutes is not normal usage. That pattern should trigger an automatic account suspension and a security alert, not rely on an employee to recognize they're under attack while their phone buzzes continuously. The system should be more suspicious than the user is trained to be.
Eliminate hardcoded credentials through proper secrets management. HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault exist specifically to remove credentials from scripts, code, and shared environments. Every credential stored in a script is a breach waiting for an attacker to have 10 minutes of network access and a text editor.
The Final Lesson: Convenience Is the Attacker's Best Friend
Push notification MFA was adopted because it's frictionless. One tap. Back to work. And friction, deliberately designed, is often what separates a secured system from a breached one.
The Uber employee who approved that notification wasn't negligent. They were doing exactly what the system trained them to do: approve the prompt, get back to work. Security that depends entirely on human vigilance under pressure will always fail. Controls need to be designed assuming humans will take the path of least resistance — because they will, and so will attackers.
The attacker understood Uber's authentication system better than Uber's security team did. That asymmetry — an outsider understanding your environment's weaknesses more clearly than your own team — is the real vulnerability. Not the technology. The blind spot.
Taking Action: Know Where You Stand Before an Attacker Does
The Uber breach wasn't the result of a sophisticated adversary. It was the result of implementation gaps that existed for years before anyone looked for them. The question isn't whether your organization has these gaps — it's whether you find them first.
At Risk Ready Identity, we assess MFA implementation, credential management, and access control posture across your environment — and tell you exactly what an attacker would find. No jargon. No 80-page report nobody reads. A clear picture of your exposure and a prioritized path to closing it.
The assessment takes two weeks. The gaps it finds have been there for years.
IAM insights. No pitch. No filler.
Case studies and field reports from inside the environments where identity governance breaks down — and how to fix it.
Subscribe — it's free