Uber – Dark Web Creds → MFA Push Fatigue → Hardcoded PAM Secret → Full AWS/GCP Admin
An 18-year-old attacker purchased an Uber contractor's VPN credentials from a dark web infostealer marketplace, then used MFA push-bombing combined with WhatsApp social engineering to bypass two-factor auth. Once inside the corporate network, they found a PowerShell script with hardcoded admin credentials for Thycotic — Uber's PAM system — unlocking full admin access to AWS, GCP, Slack, SentinelOne, HackerOne, and more within hours.
The targeted contractor's device had previously been infected with infostealer malware, which exfiltrated saved browser credentials to a dark web marketplace. The attacker purchased the username and password — no zero-day or technical exploit required.
Credential type: Uber contractor corporate VPN credentials
Defence gap: No monitoring for credential leakage · Third-party device not enrolled in MDM or health-checked before VPN access
The attacker repeatedly attempted VPN login, flooding the contractor's phone with MFA push notifications. After approximately an hour of notifications, they contacted the contractor on WhatsApp claiming to be Uber IT support and stating the only way to stop the notifications was to approve one. The contractor complied.
Social engineering: WhatsApp message: "I'm from Uber IT. Accept the push to stop the notifications."
MFA type: Push notification (not phishing-resistant FIDO2)
Why it worked: No number-matching · No limit on push attempt rate
Once the contractor approved the push, the attacker connected to Uber's corporate VPN and began scanning the internal network. Internal infrastructure had no micro-segmentation — a contractor VPN account could reach all internal file shares.
Recon target: Internal file shares and intranet services
Defence gap: No east-west network segmentation · Contractor VPN had broad internal network visibility
On an internal network share accessible via the contractor VPN, the attacker found a PowerShell script containing plaintext admin credentials for Thycotic — Uber's Privileged Access Management platform. This single file became the skeleton key to every system in the organisation.
Contents: Hardcoded Thycotic domain admin username + password in plaintext
Irony: Thycotic was the PAM system specifically designed to prevent hardcoded secrets
Root cause: Automation script needed PAM API access but used a static credential instead of a scoped service account
Using the admin credentials, the attacker logged into Thycotic and extracted all stored secrets. Thycotic was the single source of truth for credentials across Uber's entire cloud and SaaS footprint.
→ AWS (cloud infrastructure admin)
→ GCP + Google Workspace (admin)
→ Slack workspace (admin — used to announce breach to all Uber employees)
→ SentinelOne XDR (admin — ability to suppress security alerts)
→ HackerOne admin console (access to private vulnerability reports)
→ DUO, OneLogin, VMware vSphere, Uber internal dashboards
The attacker used their Slack admin access to broadcast a message to all Uber employees announcing the breach, then posted screenshots on Twitter under "teapotuberhacker." Uber's security team discovered the breach within hours — not through monitoring, but through the attacker's announcement.
Key gap: No alert fired on new AWS admin account creation · No alert on PAM admin login from unknown device
SentinelOne access meant: The attacker could have suppressed EDR alerts to cover tracks