Blame game follows Uber hack. Experts say don’t fault employee.

The Uber hack may be a lesson in poor security design and points to problems with vulnerable multi-factor authentication.
Uber headquarters in Mission Bay, San Francisco, Nov. 19, 2020. (Photo by Smith Collection/Gado/Getty Images)

In the wake of the Uber hack, allegedly by an 18-year-old who claimed he pwned the company because it had weak security, the conversation in infosec circles quickly centered on how it could possibly have been so easy to compromise one of the world’s most valuable tech companies.

The alleged hacker did not respond to a request for comment on Friday, but told The New York Times late Thursday that they’d socially engineered an Uber employee to gain access to the company’s systems. Screenshots shared across Twitter and other platforms seemed to demonstrate the wide-ranging access the attacker achieved, including to Uber’s accounts with Amazon Web Services, Google Suite and HackerOne.

The attacker told Corben Leo, a researcher and developer, that they gained access to a privileged access management tool which, when queried, revealed the credentials for the range of services.

That relative ease, according to a range of experts sharing initial opinions online, shows that this is a structural systems problem, not a problem at the individual employee level.


Coldwater’s tweet racked up nearly 1,000 retweets and nearly 4,500 likes in a matter of hours, with others sharing similar sentiments.

Bill Demirkapi, a researcher and security engineer with Microsoft, pointed out on Twitter that “the scope of the attack demonstrates another problem with centralizing authentication,” which is that “it can often be a single point of failure that can give attackers a wide variety of access, as we’ve seen in this example.”

If the details are accurate about how the attacker gained access, initially by spamming the employee with push-based multi-factor authentication requests, Demirkapi added, then this is not just an Uber problem. “The practices that led to their compromise are shockingly common,” he tweeted. “Vulnerable MFA is used everywhere, >60% of sites don’t even support hardware tokens.”


Similar attack methods were used in the recent breaches of Twilio, Okta and roughly 130 other companies, according to Group-IB, and experts say it’s a tactic on the rise.

“Why are we seeing an increase in SMS-based phishing? Because it’s working, becoming increasingly well documented by attackers, and there are now kits that make it easier to develop attacks to steal passwords and MFA codes,” tweeted Rachel Tobac, the CEO of SocialProof Security.

Organizations of all kinds are getting hit with these kinds of attacks, Sam Rubin, vice president at Unit 42 Consulting at Palo Alto Networks, told CyberScoop Friday. While not commenting specifically on Uber’s practices, Rubin said that although these attacks are not complex or sophisticated, “they’re still proving to be very successful.”

Ultimately “it comes down to educating employees to be aware of these tactics criminals are using to gain access to organizations,” he said. “They are often also using urgency and user fatigue to get people to click these links. If you’re unsure if IT or your help desk really sent a text message, reach out l directly to verify.”

Additionally, administrators could tighten MFA controls to reduce the risk, he said, a suggestion many others made Friday.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts