The Uber Breach: How a 17-Year-Old Hacked a Fortune 500 Company
- Hagai Bichler
- Mar 23
- 35 min read
Updated: Mar 24
00;00;00;01 - 00;00;11;11
Ori Stein | CISO at TrustNet Security
He never could have done it by himself. He couldn't climb the mountain. He needed to have a friend. He needed to have a team. And if you have a good team as a CISO, this will save the day.
00;00;11;13 - 00;00;41;04
Jeremy Ladner | The CISO Signal
On this episode, we take a ride back to 2022 to investigate the Uber breach where a teenager with nothing more than a clever lie and stolen keys slipped behind the wheel of a multibillion dollar company and took it for a joyride, exposing its most guarded secrets. No elaborate malware, no nation state army. Just a persuasive message, a few whispered words and suddenly the doors swung open.
00;00;41;07 - 00;01;09;19
Jeremy Ladner | The CISO Signal
Every control, every alarm, every bright line of defense faded into the rear-view. And by the time anyone realized what had happened, they weren't passengers anymore. They were hostages. Joining me on this drive into the dark heart of social engineering is our guest, Ori Stein, CISO at TrustNet. Someone who's seen how easily trust can become a weapon. Ori, welcome to the podcast.
00;01;09;21 - 00;01;11;26
Jeremy Ladner | The CISO Signal
Before we hit the road, can you tell us a bit about yourself?
00;01;12;00 - 00;01;25;16
Ori Stein | CISO at TrustNet Security
My name is Ori Stein. I've been in security for 20 years. I started out as a practitioner and with time I went up to different roles in cyber security and now today I'm the CISO for Tama Group here in Israel.
00;01;25;23 - 00;01;55;23
Jeremy Ladner | The CISO Signal
Great to have you with us. Now let's begin the investigation. We are in the midst of a ceaseless war, not of bombs or bullets, but of breaches, firewalls and silent incursions. The targets, our borders, our banks, our commerce and the critical infrastructure that underpins a free civilization. The enemy is cloaked in code, fueled by greed, glory, and a desire for chaos.
00;01;55;26 - 00;02;23;01
Jeremy Ladner | The CISO Signal
This is the story of the unseen protectors, the nameless generals, the CISOs chief information security officers. They are the guardians at the gate, watchers on the wall. Ever vigilant and always listening for The CISO Signal.
00;02;23;03 - 00;02;49;23
Jeremy Ladner | The CISO Signal
Uber was built like a modern day fortress, resting on the shaky foundations of a boastful business model, all about disrupting the legacy taxi licensing monopoly. Uber's gates weren't made of steel. They were constructed from code. Its Guardians were policies with names like Zero trust and multi-factor authentication. And inside those walls, many believed they had planned for every contingency.
00;02;50;01 - 00;03;19;00
Jeremy Ladner | The CISO Signal
But there's one thing even the best blueprints often forget: the people. Not just insiders with keys, but outsiders who understand how to make those keys turn. In late 2022, something slipped through Uber's digital defenses. Not with a battering ram, not with malware, but with a message. The kind that sounds hopeful, urgent and familiar. What followed wasn't just a breach.
00;03;19;03 - 00;03;47;20
Jeremy Ladner | The CISO Signal
It was a gut punch to the tech world's assumptions about what's secure, what's safe, and what a teenager can do with the right words at the right time. This is what happens when Uber gets taken for a ride on The CISO Signal. So what do you imagine was going through Joe Sullivan's mind? Uber's CEO, the moment he first learned of the breach and the teenager taunting them on their internal Slack channels?
00;03;47;22 - 00;04;10;05
Ori Stein | CISO at TrustNet Security
I don’t think that at first they even realized the attacker was just a teenager. When an incident starts, you only see that a system has been compromised. In a case like this, with someone like Joe Sullivan involved, who had a lot of experience and even worked for the government before, the response becomes very procedural. When you are working at a company like Uber, a very large organization, you don’t immediately think about personal liability.
00;04;10;11 - 00;04;33;19
Ori Stein | CISO at TrustNet Security
You handle it professionally. You have playbooks, and you follow those playbooks just like in any other incident. Of course this one was large, but the process is the same. You align with the procedures, you start the investigation, you keep a cool head, and you move step by step. I don’t think there was panic. I think it was handled in a very professional way.
00;04;33;22 - 00;04;48;29
Jeremy Ladner | The CISO Signal
So back in 2022, Uber was already a massive company with tens of thousands of employees, around 30,000 at the time of the breach. What role, if any, do you think company culture played in this security incident?
00;04;49;02 - 00;05;15;04
Ori Stein | CISO at TrustNet Security
I don’t think this was a case of negligence, or that security was not important to the organization. In a company the size of Uber, it is extremely difficult to lock down every single port and every system in the network. As a CISO, your job is to mitigate risk, but you cannot have a policeman watching every user all the time.
00;05;15;08 - 00;05;39;11
Ori Stein | CISO at TrustNet Security
The nature of modern technology also means that some systems need high privileges in order to run. You cannot guarantee that every developer, every security engineer, every IT employee always follows every procedure perfectly. Sometimes systems are upgraded, or a third-party integrator makes a change, and something gets added that you did not intend to allow.
00;05;39;11 - 00;05;47;10
Ori Stein | CISO at TrustNet Security
That is why this is so hard. You see thousands of events every day, but it only takes one of them to turn into a real incident.
00;05;47;15 - 00;06;06;08
Jeremy Ladner | The CISO Signal
We love making this podcast, and we really hope that shows in the care and quality that we invest in it. And we would really appreciate it if you could take a moment to like and share it with your fellow security professionals, as well as dropping us a comment, letting us know what stories and guests you'd like to have on the podcast in future episodes.
00;06;06;10 - 00;06;09;25
Jeremy Ladner | The CISO Signal
Now back to the story.
00;06;09;27 - 00;06;48;00
Jeremy Ladner | The CISO Signal
Act 1: A Fortress in the Cloud
From the outside, Uber was a fortress, not of stone, but of systems not guarded by soldiers, but by software. Behind its digital gates pulsed a global empire: rides, deliveries, logistics, all orchestrated by code. All reliant on trust. In 2022, Uber wasn't just a company, it was a verb. Tens of thousands of employees, contractors and partners, millions of users, and billions of transactions.
00;06;48;03 - 00;07;28;17
Jeremy Ladner | The CISO Signal
Its backend spread across AWS, Google Workspace, Duo Security, one login and more. A sprawling ecosystem interconnected, interdependent and invisible. But with size often comes complexity and with complexity, cracks. Uber, like many tech titans of San Francisco, invested heavily in security, penetration testing, bug bounty programs and single sign on two factor authentication, a sophisticated internal architecture designed to stop threats at the gate.
00;07;28;20 - 00;07;59;12
Jeremy Ladner | The CISO Signal
What they didn't plan for was someone already holding the keys. At the heart of Uber's security model was a belief in verification MFA multi-factor authentication designed to stop unauthorized access even if a password leaked. If someone got a hold of your credentials, they'd still need a second check, a push notification to your phone, one final barrier between an intruder in the kingdom inside.
00;07;59;15 - 00;08;38;24
Jeremy Ladner | The CISO Signal
But MFA has a flaw. It depends on human behavior, and humans get tired. Enter a relatively new tactic in the attackers playbook. MFA fatigue: a method as subtle as it is relentless. Here's how it works. An attacker obtains a username and password, often from a prior breach or a sale on the dark web. Then they flood the user's phone with a barrage of MFA prompts minute after minute, hour after hour, each one asking, do you approve this login?
00;08;38;26 - 00;09;20;16
Jeremy Ladner | The CISO Signal
It's not hacking in the traditional sense. It's harassment wearing down the willpower of a person until they tap yes, just to make it stop. This technique had surfaced in scattered reports targeting corporations, nonprofits, and even governments, but many still underestimated its power or assumed it couldn't happen here at Uber. It started with a contractor, young, likely undertrained, possibly overworked one of the thousands with access to the internal VPN, someone who had credentials that could be used but not, it was believed, abused until they were.
00;09;20;18 - 00;09;50;12
Jeremy Ladner | The CISO Signal
What no one at Uber realized, at least not yet, was that someone had bought this contractor's login details in that someone had a plan. Not a virus, not malware, just a script, a strategy, and patience. The attacker didn't go for Uber's firewalls, didn't launch zero days, didn't exploit technical vulnerabilities. They targeted a person and they waited for the moment that person let their guard down.
00;09;50;17 - 00;10;15;06
Jeremy Ladner | The CISO Signal
Uber had spent billions to keep bad actors out, but in the end, they didn't need to break in. They only had to be let in, and soon they would be. So with a company the size of Uber, the number of alerts that are coming in on a daily basis are going to drown an inexperienced SoC team and the vast majority of those alerts, of course, are just false alarms.
00;10;15;06 - 00;10;37;16
Jeremy Ladner | The CISO Signal
They're going to be forgotten as quickly as they pop up. But there's the wisdom that comes with experience in the knowledge that one of those alerts one day could potentially explode into an incident that's going to take down the entire company. What is the weight of that responsibility like for you personally as a CISO?
00;10;37;19 - 00;10;57;21
Ori Stein | CISO at TrustNet Security
Yes, that is why you invest a lot in training and awareness. It also depends on the quality of your team. When you have a strong team, they develop a sense of what the normal baseline looks like for the company. Events are coming in all the time, and many of them are false positives, but over time you learn what is typical and what is not.
00;10;57;23 - 00;11;21;13
Ori Stein | CISO at TrustNet Security
A good SOC team knows the difference between a benign event and something that looks unusual. When something does not match the normal pattern, they understand that it needs to be investigated. A strong SOC team will flag that kind of event very early, and in many cases that early detection is what prevents an event from turning into a real incident.
00;11;21;15 - 00;11;28;02
Jeremy Ladner | The CISO Signal
Interesting. So it is almost like a kind of Spidey-sense, where something just feels off even if you cannot explain it immediately.
00;11;28;06 - 00;11;48;17
Ori Stein | CISO at TrustNet Security
Exactly. It also depends on the seniority of the SOC team. They need to understand the business, the applications, the network, and the infrastructure. When the team is experienced, they develop that kind of instinct. They can sense that something is wrong, even before they know exactly why, and that is usually the moment when they decide to take a closer look.
00;11;48;20 - 00;11;57;01
Jeremy Ladner | The CISO Signal
Whereas the vast majority of these incidents, you’re just like, okay, that's just a typical issue that we're dealing with. We know that we can dismiss it and move on to the next.
00;11;57;07 - 00;12;15;26
Ori Stein | CISO at TrustNet Security
Yeah. I mean, if you didn't fine tune your systems and you get ten thousands of events every second, there's no human who can say, yeah, that's a little suspicious. So you need to fine tune every system and every new system that gets onboarded. You need to see that it reports to your security operations center. And then it comes down to the people.
00;12;15;26 - 00;12;33;22
Ori Stein | CISO at TrustNet Security
People are the most important part of the security team. They are the ones watching the events, and if they truly understand the organization, they will notice unusual activity very quickly. That is the key. Prevention is always the ideal, but strong detection and fast response are absolutely essential.
00;12;33;24 - 00;12;57;11
Jeremy Ladner | The CISO Signal
Act 2: It Began
It began the way so many breaches do not with a bang but a ping. The contractor name unknown to the public, forgotten by the company they briefly worked for, was under siege. Not by malware, not by a brute force attack, but by the sound of his phone buzzing again and again and again. Each alert was the same. Approve login?
00;12;57;11 - 00;13;25;26
Jeremy Ladner | The CISO Signal
Yes or no? Push notifications designed to protect now turned into weapons of attrition. Uber's security system had been carefully calibrated to assume the best that a second check would stop an intruder cold, but it hadn't accounted for something more dangerous than malware exhaustion. And then, as the MFA fatigue wore on, the attacker made their move.
00;13;25;29 - 00;13;53;18
Jeremy Ladner | The CISO Signal
A WhatsApp message appeared professional, polite, concerned. Hey, this is it. We've noticed some login anomalies. Need your help to resolve them? No menacing threats, no broken English, just reassurance. The kind of social engineering that doesn't raise alarm bells but dismantles them. The attacker wasn't hiding behind a mask or code. They were playing a role. One that felt helpful, human, trustworthy.
00;13;53;20 - 00;14;32;09
Jeremy Ladner | The CISO Signal
They told the contractor how to approve the login request, explained how to resolve this issue, and nudged him through the steps. And eventually he tapped yes, at that moment, the attacker's access was no longer hypothetical. It was real. They were inside. But this wasn't a smash and grab. This was reconnaissance inside Uber's network. The intruder took their time, navigated through VPN protected systems, scanned shared internal folders, and there, among routine scripts and config files, they found it a single PowerShell script.
00;14;32;11 - 00;15;06;06
Jeremy Ladner | The CISO Signal
Harmless on the surface, but embedded inside hardcoded administrator credentials. A relic from a rushed deployment, a short cut by a dev who meant well, no one knows, but the result was catastrophic nonetheless. With those credentials, the attacker didn't just have access, they had power. They moved laterally quickly. Precisely. First, domain controller, the brain of Uber's internal network. Then, Duo Security's admin panel where MFA policies could be manipulated.
00;15;06;08 - 00;15;51;00
Jeremy Ladner | The CISO Signal
One login, Uber's identity provider, and AWS, where backend infrastructure lived. And then finally G-suite, the digital home of Uber's corporate memory vaults of sensitive information, live dashboards, engineering roadmaps, private communications, everything now within reach, and all of it obtained without writing a single line of exploit code. This wasn't a technical marvel. It was a con job. A 17 year old, yes, 17 had maneuvered through one of the world's most well defended corporations, using only persistence, intuition and charm.
00;15;51;03 - 00;16;24;11
Jeremy Ladner | The CISO Signal
But here's the twist: even as the attacker’s elevated privileges move through systems and exfiltrated data, Uber still had no idea the alarms hadn't gone off. Security teams weren't mobilized, no blinking red lights on a dashboard somewhere. Just silence. Because the breach hadn't come through a firewall. It had walked through the front door, held open by someone who thought they were being, or for, and behind that open door.
00;16;24;13 - 00;16;55;23
Jeremy Ladner | The CISO Signal
The real show was just beginning. So if we're looking for a prevention versus detection sort of analogy here, I'm going to use a popular culture reference, one of my favorite all time books and movie series, Lord of the Rings. And I've got to think it's better to have Legolas and a bunch of elves up on the castle parapets with bows and arrows, taking out orcs from hundreds of yards away instead of Aragorn and Gimli taking on the orcs after they've already breached the castle gates.
00;16;55;25 - 00;17;07;01
Ori Stein | CISO at TrustNet Security
Wow, that’s awesome. I mean, Frodo, the one who held the ring, was always challenged by the idea that maybe something better could come from it, that he might give in to the ring. And he had the strength.
00;17;07;03 - 00;17;08;03
Jeremy Ladner | The CISO Signal
Sam.
00;17;08;05 - 00;17;22;25
Ori Stein | CISO at TrustNet Security
He was pushed and pulled the whole time, and in the end he almost gave in at the last moment. He said he could feel it, he could sense it. And that’s a good example, because you are always on that edge, feeling like something might go wrong, and then it comes down to the people around you.
00;17;22;27 - 00;17;27;04
Jeremy Ladner | The CISO Signal
Yeah, every CISO needs a Samwise Gamgee by their side.
00;17;27;06 - 00;17;44;05
Ori Stein | CISO at TrustNet Security
Yeah, Sam, Sam, right, that’s his name. Exactly. He could never have done it alone. He couldn’t climb the mountain by himself. He needed friends, he needed a team. And if you have a good team as a CISO, again, that’s what saves the day.
00;17;44;05 - 00;17;50;14
Jeremy Ladner | The CISO Signal
The secret to a CISO’s success is having a fellowship around them.
00;17;50;17 - 00;18;16;16
Ori Stein | CISO at TrustNet Security
Yeah, that’s the fellowship, exactly. Not many companies have the luxury of having a full in-house SOC. Many times you depend on outsourcing or MSSPs, and they don’t always know the business. In the end, it comes down to really knowing your systems, the network, the applications, the users, and the business you are in.
00;18;16;18 - 00;18;48;12
Jeremy Ladner | The CISO Signal
Act 3: The Keys to the Kingdom
Inside Uber. Nothing looked out of place. The dashboards hum, the metrics ticked forward, and engineers sipped coffee and filed tickets. The business of disrupting the world continued uninterrupted. But beneath the surface, deep in the veins of the system, a silent intruder had taken root, not lurking. Exploring their credentials now carried the full weight of an Uber admin.
00;18;48;14 - 00;19;21;21
Jeremy Ladner | The CISO Signal
Not a rogue user, not a glitch in the matrix, an actual keycard blessed by the system and waved past every security gate. Most intrusions rely on stealth. This one relied on legitimacy. Every login, every query was authenticated, verified, and approved by Uber's own identity systems. No flashing alerts, no intrusion detection sirens because as far as the software was concerned, the attacker was actually who they claimed to be.
00;19;21;21 - 00;19;50;01
Jeremy Ladner | The CISO Signal
And so step by step, they wandered through the architecture. They access the company's internal SharePoint drives, its Slack channels, its AWS control panels. Some systems had additional protection, some were left wide open. In one internal document, the attacker discovered credentials that hadn't yet expired. In another. Access tokens for third party services. Each new discovery peeled back another layer.
00;19;50;04 - 00;20;35;10
Jeremy Ladner | The CISO Signal
Each door opened, revealed another hallway, and then, in the blink of a cursor, they found it: HackerOne. Uber's private bug bounty program, a platform where researchers quietly submit vulnerabilities where engineers fix holes before bad actors can find them. A digital confession booth for security. Since the attacker logged in and read and read and read unpatched vulnerabilities, zero-day exploits, blueprints to Uber's most sensitive weak points, hand written by white-hat hackers who trusted they'd remain secret. Now in the hands of someone who wasn't here to help…
00;20;35;10 - 00;21;08;11
Jeremy Ladner | The CISO Signal
Screenshots were taken, documents downloaded, and exploit details cataloged. It was a breach of terrifying symmetry. A hacker stealing the secrets of other hackers, some of which could be weaponized against Uber or sold to the highest bidder. But this was never about subtlety. Not anymore. Because next, the attacker moved to Slack, Uber's digital watercooler, a place where projects are born, jokes are traded, and product launches are quietly celebrated.
00;21;08;16 - 00;21;40;05
Jeremy Ladner | The CISO Signal
And in the middle of a routine afternoon, the attacker introduced themselves. They posted under the handle, “Uber has been hacked”, not just one message. Several screenshots, credentials, dashboards, admin panels all shared in a company-wide channel. The screenshots weren't faked and they weren't vague. They were precise, damning and unmistakably real. Some employees assumed it was a prank…
00;21;40;05 - 00;22;16;13
Jeremy Ladner | The CISO Signal
Others thought it might be an internal security test, but it wasn't. The attacker was showing their cards. They were flexing. And behind the scenes, Uber's security team began scrambling slowly at first, then with a rising sense of dread, the scale was incomprehensible, the scope unthinkable. The attacker had gotten into places that should have been unreachable. They bypassed systems designed by some of the most advanced security teams in the world, and they'd done it without malware, without ransomware, without deploying a single exploit.
00;22;16;13 - 00;22;49;00
Jeremy Ladner | The CISO Signal
They'd done it with psychology, a text, a push notification, a moment of human vulnerability. By the time Uber began containment, the attacker had already burrowed deep into the core. Access was revoked, systems were locked down, credentials rotated, but the damage was done. What began with a tired contractor tapping approve had now exploded into a full scale security incident that spanned departments, platforms and continents.
00;22;49;00 - 00;23;09;06
Jeremy Ladner | The CISO Signal
A teenager, 17 years old, had paralyzed a tech titan, and he was only just getting started. Do you think it's possible that a more strategic, multi-factor authentication configuration could have changed the outcome for Uber?
00;23;09;12 - 00;23;31;14
Ori Stein | CISO at TrustNet Security
If you look at the event itself, at the core it was a social engineering attack. These kinds of scams have existed for decades, like the classic Nigerian prince scam. You get an email saying, “I’m a prince from Nigeria, I inherited a lot of money and I need your help.” There is no technical solution that can fully prevent something like that.
00;23;31;14 - 00;23;53;04
Ori Stein | CISO at TrustNet Security
Because if someone comes to you and says, “I’m in trouble, can you help me with $1,000?” and you choose to give it to them, there is no technical control that can stop that. The only real defense is awareness, educating users, and making sure people understand that this should not happen. Social engineering is very hard to solve with technology alone.
00;23;53;04 - 00;24;14;00
Ori Stein | CISO at TrustNet Security
It mostly comes down to awareness and the person involved. In the Uber case, the employee actually did the right thing at first. He kept getting bombarded with MFA requests and did not approve them. But then the attacker contacted the same person, I think through WhatsApp, and said, “I’m from the help desk.”
00;24;14;00 - 00;24;32;19
Ori Stein | CISO at TrustNet Security
He asked, “Is your phone getting bombarded with authentication requests?” The employee said yes, and the attacker replied, “We know the issue. Just approve it once and we will take care of the rest.” That was the attack, and that is how the attacker got in. So the question is, what can you do in a situation like that?
00;24;32;27 - 00;24;59;26
Ori Stein | CISO at TrustNet Security
You try to build layered defenses. If someone gets in through social engineering, you want to make it harder for them to move laterally inside the system. In this case there were good layers of defense, but again it came down to a small mistake. That mistake was having credentials hard-coded in the code, and those credentials were accessible to everyone.
00;24;59;29 - 00;25;05;29
Jeremy Ladner | The CISO Signal
So that's the next question. Why is storing hardcoded credentials and scripts still such a common failure point?
00;25;06;02 - 00;25;29;22
Ori Stein | CISO at TrustNet Security
Sometimes it comes from technical limitations. Sometimes it is done just to make an upgrade work, with the intention of fixing it later, and then it gets forgotten. And sometimes it is simply about making life easier. Security is hard, even for administrators, and there are many sensitive tasks. People want to automate their work, so they run a script to do it for them.
00;25;29;22 - 00;25;51;15
Ori Stein | CISO at TrustNet Security
The problem is that if you do things for convenience or speed, instead of doing them manually every time, you have to think about the risk. Many times these decisions never even reach the CISO. It can be an IT person or someone in DevOps who makes the call, and they are not security specialists.
00;25;51;17 - 00;26;04;16
Ori Stein | CISO at TrustNet Security
They end up taking the risk without really thinking in terms of security. They are not security people, so they do not think in terms of risk. They think in terms of productivity, getting the job done, and giving the business what it needs to keep running.
00;26;04;18 - 00;26;13;22
Jeremy Ladner | The CISO Signal
So as someone who builds global security programs, what's your take on how Uber could have spotted lateral movement sooner, if at all?
00;26;13;24 - 00;26;37;14
Ori Stein | CISO at TrustNet Security
So again, it comes down to the defense in depth or layer defense okay. So you need to make sure you need to think about risks. So what happens at every point of interactions. How a bad guy can get inside of your network. And lateral movement? It’s really challenging to defend it because usually companies have a hard outer shell, but an inside that is squishy.
00;26;37;17 - 00;27;04;13
Ori Stein | CISO at TrustNet Security
That's just the reality. You know, you have legacy tech, you have the new systems, you have complex systems, and you can't really separate the internal network from everything. Because again, you try to be productive. It's really hard to balance productivity with security. So from the outside, you always want to have a hard shell. And from the inside you try to mitigate risks.
00;27;04;13 - 00;27;25;29
Ori Stein | CISO at TrustNet Security
And the reality is you can't do it every time for every system. And that's why it's hard to prevent lateral movement. Again, it comes down to detecting. Detection is key. If you're unable to detect lateral movement you cannot prevent it. But if you detect it then you are able to respond. And then they just use usernames and passwords.
00;27;25;29 - 00;27;36;27
Ori Stein | CISO at TrustNet Security
They were clear text. So they just logged in as a regular user. And you can differentiate your administrators from the pack. And if they have got high privileged access.
00;27;37;00 - 00;28;06;25
Jeremy Ladner | The CISO Signal
What’s your take on the fact that this attacker, it seemed, wasn't interested in ransom, wasn't interested in destruction, was just kind of interested in gloating and making it very public very early on. I mean, on the Slack channels, they were taking screenshots. They reached out, I think, to the New York Times letting everyone know. I mean, they could have hung out quietly inside for some period of time and gotten information that they could have profited from.
00;28;06;25 - 00;28;09;02
Jeremy Ladner | The CISO Signal
What do you think about that?
00;28;09;04 - 00;28;29;27
Ori Stein | CISO at TrustNet Security
I think the group that the attacker was part of, Lapsus$, was more like teenagers, very knowledgeable, but still teenagers. They wanted to be in the headlines. They wanted that old-school hacker feeling, like in the 90s, where you could say, “I did something that affected the real world,” and see it on the news.
00;28;29;27 - 00;28;52;10
Ori Stein | CISO at TrustNet Security
For them it was like, “I managed to breach Uber, that’s a cool story I can tell my friends on Slack channels.” They want to say, “Yeah, I did it, I was responsible for it.” I don’t think they were like the hardcore gangs that are only trying to make money. It felt more like a reputational thing, like, “I’m part of this group, and look what we managed to do.”
00;28;52;13 - 00;29;28;07
Jeremy Ladner | The CISO Signal
Act 4: The Ghost in the Gears
The building blocks of any modern company are made of code, APIs, tokens, dashboards and credentials. Invisible scaffolding that powers everything from logins to logistics. And Uber had plenty of it. Layers upon layers of systems and services and third party integrations. A digital skyscraper built on the speed of ambition but no matter how tall the structure, no matter how clean the code, the foundation is always human.
00;29;28;09 - 00;29;55;29
Jeremy Ladner | The CISO Signal
And now a ghost moved through that foundation uninvited, unseen and unstoppable. What began as a quiet infiltration had exploded into an open parade of compromise, one system after another, waving the attacker through as though they were wearing an Uber badge and a company issued hoodie, he pivoted across environments from AWS to G suite to one log in to duo.
00;29;55;29 - 00;30;28;08
Jeremy Ladner | The CISO Signal
He touched the domain controller, the security consoles, the internal admin tools once reserved for only the most trusted employees. He didn't need to guess passwords, and he didn't need to brute force logins. He had the golden ticket granted not by force, but by faith, because somewhere along the way, trust had become the soft underbelly of cybersecurity. A helpdesk request name that sounded familiar, a tone that sounded just convincing enough.
00;30;28;10 - 00;31;08;07
Jeremy Ladner | The CISO Signal
That's all it took to turn an ordinary employee into an unwitting accomplice. But the attacker didn't stop at access. He wanted an audience, and now he had one. After his messages exploded into Uber's internal Slack, engineers began investigating. They followed the trail of breadcrumbs, screenshots, logs, unusual access patterns, and then they saw it. Live sessions opened under legitimate accounts, console commands issued from IP addresses that didn't match any known employee access was revoked, passwords reset, tokens purged.
00;31;08;10 - 00;31;44;23
Jeremy Ladner | The CISO Signal
But it was like slamming the brakes after driving off the cliff. The attacker had already exfiltrated documents, internal communications and bug reports. He'd broadcast his presence like a warlord announcing a siege. And with every screenshot shared online, Uber's internal chaos became external theater news outlets pounced. The word hacked lit up headlines from Silicon Valley to Singapore. Whispers of an inside job, speculation of state sponsored actors and fingers pointed at foreign adversaries.
00;31;44;23 - 00;32;26;22
Jeremy Ladner | The CISO Signal
But the truth was more unsettling. It wasn't a nation state. It wasn't ransomware. It wasn't even a team. It was a single teenager operating alone, using free tools and communicating through public apps and cloud based platforms. No war chest, no zero day exploit, just social engineering luck and a disturbing level of competence. And as investigators started connecting the dots, a familiar name emerged from the shadows lapses, a hacking collective known more for chaos than cash, a group that traded infamy like currency.
00;32;26;25 - 00;32;57;02
Jeremy Ladner | The CISO Signal
And this breach fit their signature perfectly loud, brash and very public. Whether the teenager was a full fledged member or simply inspired by them remained unclear, but the effect was the same. Uber was now the latest trophy on the lapses wall. Internally, a war room was assembled and engineers worked around the clock, scrubbing logs, tracing access paths, cataloging every compromised system.
00;32;57;05 - 00;33;31;10
Jeremy Ladner | The CISO Signal
Externally, Uber tried to calm the storm. A public statement was issued. It confirmed the breach, but stopped short of revealing how deep the attacker had gotten because at that point, even Uber wasn't sure the attacker moved like a phantom. They touched everything and left digital fingerprints on nearly every pane of glass. And he'd done it not with sophisticated malware or $1 million exploit, but by exploiting something far older than any technology.
00;33;31;12 - 00;33;40;19
Jeremy Ladner | The CISO Signal
The human instinct to help. So when a breach gets this public this fast, what are the stakes for security leadership?
00;33;40;24 - 00;34;05;25
Ori Stein | CISO at TrustNet Security
Uber is such a big company, with a huge footprint, and they hold a lot of sensitive data. They have driver’s licenses, personal information, GPS data, a lot of very sensitive user data. As a CISO, this is your main responsibility, to safeguard that data. And when you look at this case, the stakes were very high, very significant.
00;34;06;01 - 00;34;11;20
Ori Stein | CISO at TrustNet Security
And Joe knew exactly what responsibility he had, and what he needed to protect.
00;34;11;22 - 00;34;32;10
Jeremy Ladner | The CISO Signal
You mentioned certainly the private data of the drivers, the private data of the company and the routes that they're taking, the private data of the consumers who, you know, I'm guessing there's credit card information and there's all sorts of additional data that way. So once a hacker has access to that, there's all sorts of potential repercussions and costs there.
00;34;32;10 - 00;34;42;06
Jeremy Ladner | The CISO Signal
But it certainly damages their brand, the trust that they have with the public. How do you, as a security professional, deal with that?
00;34;42;08 - 00;35;04;06
Ori Stein | CISO at TrustNet Security
The thing is, I think that for Uber there was already an ongoing investigation from a previous incident. The FTC had an investigation open. So think about the CISO’s situation. The company is already under investigation, there are going to be consequences, and then you suddenly have to deal with another incident, an even bigger one. What do you tell the regulators?
00;35;04;06 - 00;35;30;06
Ori Stein | CISO at TrustNet Security
How can you come forward and say, “Listen, we have another breach,” when the first one is not even closed yet? That creates immense pressure, really immense pressure. And I am sure there is also pressure from the business side. Maybe nobody says it directly, but regulation is a business risk, and the potential fines are huge. Imagine having one investigation already in progress, and then a second one happens before the first is resolved.
00;35;30;06 - 00;35;38;05
Ori Stein | CISO at TrustNet Security
That kind of situation can bury a company. And I think the CISO did what he believed was best in order to protect the company and its reputation.
00;35;38;08 - 00;35;53;06
Jeremy Ladner | The CISO Signal
So as a CISO, you've got that glorious C in your title. But unlike the rest of the C-suite, you've got some unique legal liability and exposure issues. What are your thoughts on that?
00;35;53;08 - 00;36;11;29
Ori Stein | CISO at TrustNet Security
That’s right. The challenges are huge, the pressure is huge. You are always thinking about the worst-case scenarios, and even then, when something happens, you can still get thrown under the bus. You are told you are responsible for security, but in reality you cannot defend against 100% of all events.
00;36;12;01 - 00;36;29;11
Jeremy Ladner | The CISO Signal
So since the Uber breach, the role of the CISO has evolved, especially when it comes to expectations around public transparency, and of course regulations have changed as well. Can you talk a bit about that evolution, and the pros and cons when it comes to CISO responsibility and transparency?
00;36;29;14 - 00;36;51;13
Ori Stein | CISO at TrustNet Security
It’s interesting, because every incident is a different beast. Each one has its own life, its own circumstances. The question of transparency also depends a lot on the culture of the organization. If you are a publicly traded company, being too transparent can hurt your stock price, at least that was the concern back then.
00;36;51;15 - 00;37;09;17
Ori Stein | CISO at TrustNet Security
Today we have regulations that say you need to report within 72 hours, but back then being very transparent could actually backfire. And most of the time, during a major incident, you don’t even know all the details yet. You don’t fully understand what happened, so being too transparent too early can sometimes cause more damage.
00;37;09;20 - 00;37;29;28
Jeremy Ladner | The CISO Signal
Absolutely. If being transparent means that the stock takes a tumble and all the shareholders in the board are banging at your door saying, “what are you doing”? Yeah, you've got communications. People who were there and PR people were very carefully managing the message that goes out. It's a very challenging situation.
00;37;29;28 - 00;37;54;09
Ori Stein | CISO at TrustNet Security
In PR, every word gets dissected, so the context really matters. Sometimes you read breach notifications and they sound like generic text written by a lawyer, just blah blah blah, saying “we are looking into it.” You can tell they are not really being transparent. Transparency should mean saying, we had an incident, we are actively investigating it, and we are doing everything we can.
00;37;54;09 - 00;38;18;06
Ori Stein | CISO at TrustNet Security
You show that you have teams working on it, and you explain the process, not necessarily every technical detail, but what you are doing about it. There was a big cyber incident with a service provider, a third party that manages networks for many companies, and they got breached.
00;38;18;09 - 00;38;38;27
Ori Stein | CISO at TrustNet Security
The CEO went on camera, on YouTube, and just said it openly: we messed up, it’s our fault, and we are doing everything we can to fix it. We didn’t want this to happen, but it did, and now we are doing A, B, and C to respond. That kind of transparency actually brought them a lot of support, just by being honest and truly open about it.
00;38;38;27 - 00;38;47;19
Ori Stein | CISO at TrustNet Security
And, you know, big companies said we will help you with no charge. But again, it depends on the company. If you're publicly traded, it depends on the stakes and the risk levels.
00;38;47;22 - 00;39;17;11
Jeremy Ladner | The CISO Signal
Yeah, I've heard from several CISOs basically the best course of action is to be as honest as you can and as transparent as you can be, because in many situations you have attackers who, if you aren't honest, they will come out and contradict you with the truth just to make you look bad and nothing looks worse than being attacked, being exposed, and having an attacker publicly shame you by saying they're not being honest.
00;39;17;11 - 00;39;20;00
Jeremy Ladner | The CISO Signal
And here's the proof that they're not being honest.
00;39;20;02 - 00;39;51;21
Ori Stein | CISO at TrustNet Security
The attackers are even smarter than that. They will say, if you don't pay us or whatever, we will report you to the SEC. Let's say if you're a public company, we will report you to all the FTC or to any regulatory body. We will do it for you. We will be filing the incident because you're not doing it, and you either pay us the money or we're going to go to the regulators and then it's going to be known that the hacker reported you for the breach.
00;39;51;23 - 00;40;21;03
Jeremy Ladner | The CISO Signal
Act 5: The Mirror Test
In the days that followed, Uber's breach became more than a headline. It became a mirror held up not just to one company, but to an entire industry. Because if they could be breached, a tech titan built in the heart of San Francisco, fortified with layers of security vendors backed by billion dollar budgets and a battalion of engineers then who couldn't, the question wasn't how the attacker got in.
00;40;21;03 - 00;40;54;00
Jeremy Ladner | The CISO Signal
That part was already clear. He tricked a human. He found a script. He escalated privileges. He walked right through doors that were supposed to be locked. No, the real question was how many other companies were holding their doors open for hackers as well? The Uber breach didn't expose just Uber. It exposed the assumptions we've all been making. That too far is enough that VPNs are secure, that if you just buy the right tools, compliance will turn into protection.
00;40;54;02 - 00;41;30;04
Jeremy Ladner | The CISO Signal
But as Uber's internal report would later reveal, the attacker didn't succeed because defenses were weak. It succeeded because defenses were predictable and because trust between employee and it, between tool and credential, between company and cloud was treated as an asset instead of a liability. In the aftermath, Uber did what most companies do: they reset passwords, they audited access logs, they partnered with law enforcement, and they promised it wouldn't happen again.
00;41;30;06 - 00;42;08;13
Jeremy Ladner | The CISO Signal
But in a quiet corner of that chaos, somewhere inside a now hardened Slack channel or a quarantine server, a deeper realization took hold. The enemy had changed. It wasn't just foreign governments or blackhat syndicates anymore. It was kids, it was hobbyists, it was threat actors who didn't want money. They wanted mayhem. Not ransomware, just reputation. And when you're playing defense against someone who's not after profit but attention, the rulebook goes out the window.
00;42;08;15 - 00;42;34;25
Jeremy Ladner | The CISO Signal
The attacker behind the Uber breach was reportedly traced. A British teenager, 17 years old, allegedly connected to lapses, the same group behind breaches at Microsoft, Nvidia and Samsung. A boy not yet old enough to vote who walked past Uber security like it was a bead curtain. He didn't break in. He was let in. And once inside, he danced through their systems, leaving behind not destruction, but a message.
00;42;34;27 - 00;43;06;12
Jeremy Ladner | The CISO Signal
Security, he seemed to say, is not a product. It's not a dashboard. It's not a checkbox on a compliance form. Security is a mindset. And Uber, like many others, had been too busy building fast to build deep their engineers were brilliant, their infrastructure expansive, but their defenses, they were built for a different kind of war, the kind with perimeters, the kind with rules, the kind where you can tell who's inside and who's out.
00;43;06;19 - 00;43;32;29
Jeremy Ladner | The CISO Signal
But this wasn't that kind of war anymore. This was post-perimeter, post-trust. A world where your weakest link isn't your firewall. It's your colleague, the well-meaning employee just trying to finish their shift, respond to one last message, approve one more login request. And so Uber joined a long and growing list of companies forced to confront the uncomfortable truth.
00;43;33;01 - 00;43;54;20
Jeremy Ladner | The CISO Signal
We've architected our digital empires on a foundation of assumed trust, and all it takes is one clever whisper, one misplaced click, or 117 year old with enough nerve and time to bring it all to its knees.
00;43;54;23 - 00;44;02;02
Jeremy Ladner | The CISO Signal
So if you were advising Uber's security team post incident, where would you start?
00;44;02;04 - 00;44;29;21
Ori Stein | CISO at TrustNet Security
That’s a hard question. And again, we are talking with hindsight. In hindsight, everything looks clear and obvious. But if you break the incident down to the root cause, it started with social engineering. That’s where it began. So I would say the focus of the security program needs to shift more toward the people, toward the employees, and put more emphasis on user awareness.
00;44;29;27 - 00;44;51;29
Ori Stein | CISO at TrustNet Security
And don’t forget, since Covid, many people are working remotely, and it’s even harder to verify who someone really is when you don’t see them in person. You don’t have physical access, you don’t know them directly. Someone can pretend to be someone else, or even get paid to leak sensitive data. And help desk employees, for example, often have more access than regular users.
00;44;51;29 - 00;45;14;20
Ori Stein | CISO at TrustNet Security
By the way, Coinbase recently had an incident like this. Coinbase is a big crypto company, and in that case the attackers contacted the help desk and paid them to disclose customer information. They didn’t even need to breach the systems directly. They just asked someone with internal access to give them the data.
00;45;14;22 - 00;45;24;23
Jeremy Ladner | The CISO Signal
So speaking of weak links, how does this event reshape the way that you think about vendor sprawl and software as a service visibility?
00;45;24;28 - 00;45;44;27
Ori Stein | CISO at TrustNet Security
There is a whole industry trying to solve this problem right now. There is no real way to make sure that third parties have the same security posture as you. It’s almost impossible. The way it usually works today is that if you have a critical vendor, you send them a security questionnaire, they fill it out, and then you file it and basically say, okay, let’s hope for the best.
00;45;44;27 - 00;46;04;19
Ori Stein | CISO at TrustNet Security
Because in reality, you don’t have visibility into their systems. You can’t really see if something bad is happening on their side that could affect you. Most companies today depend on third parties, just like they depend on remote work. This is really an industry-wide problem, and there is no perfect solution right now.
00;46;04;21 - 00;46;17;22
Jeremy Ladner | The CISO Signal
Okay, so let's look at another facet of the modern threat landscape and sort of psychology over tech. What's your take on social engineering versus technical exploits today?
00;46;17;25 - 00;46;42;17
Ori Stein | CISO at TrustNet Security
I would say social engineering is the easiest way in, and no matter how much user awareness you do, you still need to think about onboarding, offboarding, and user skill levels. The program has to go over the same topics again and again, especially fraud and social engineering. Basically, you need a program that keeps running constantly and keeps addressing those risks.
00;46;42;18 - 00;47;13;10
Ori Stein | CISO at TrustNet Security
Security is only one part of the business, and employees are getting bombarded with messages all the time. They have compliance training, physical security, fire drills, and then security awareness on top of that. If you want it to work, it should be microlearning, so employees don’t feel overwhelmed. Otherwise you get those half-hour awareness videos where people just press play, walk away, and come back later to click 100%.
00;47;13;13 - 00;47;28;15
Ori Stein | CISO at TrustNet Security
You need to build your awareness program in a way that is engaging enough so users understand what’s in it for them, why they should care about security. Because these attacks are very easy to execute, and they can have a big impact on the company.
00;47;28;18 - 00;47;32;24
Jeremy Ladner | The CISO Signal
So how do you build a culture that resists attacks like that?
00;47;32;27 - 00;47;54;16
Ori Stein | CISO at TrustNet Security
You try to make it less painful for the user. You still do phishing tests across the whole company, but then you focus more on specific groups. For example, for the marketing team you send a short video, maybe one or two minutes, about the risks that are relevant to marketing.
00;47;54;16 - 00;48;15;20
Ori Stein | CISO at TrustNet Security
Then for the finance team you talk about fraud, because that’s what they deal with. You need to tailor the awareness program to the employees, to what they actually do, to their business function. It becomes almost personalized. Of course you cannot do it for every single employee, but you try to get as close as possible.
00;48;15;22 - 00;48;37;11
Ori Stein | CISO at TrustNet Security
Sometimes we do awareness sessions, talks, learning breaks where you focus on one topic. You can bring in outside security professionals to speak. We as security people tend to talk very technically, so sometimes it helps to bring someone who can explain things in simple terms for regular users who don’t live in the security world.
00;48;37;11 - 00;48;59;29
Ori Stein | CISO at TrustNet Security
You do workshops, you do interesting activities, you send small reminders, like flyers or short messages saying, “Think before you click.” You have to do it in many different ways, but the key is consistency, so employees feel that security is important, that it’s strategic for the company, not just something you do to check a box.
00;49;00;07 - 00;49;04;28
Ori Stein | CISO at TrustNet Security
If you reach that level, where you really connect with the individuals, then you are on the right track.
00;49;05;01 - 00;49;11;10
Jeremy Ladner | The CISO Signal
Do you think that incidents like this breach change the board's expectations of CISOs?
00;49;11;10 - 00;49;32;24
Ori Stein | CISO at TrustNet Security
What the board usually wants to know is, “Are we secure?” But that is not really the right question. The right question is, “Are we managing our risks?” There is no such thing as 100% security. The correct answer from the CISO should be that we are managing the risks, and those risks are specific to the company.
00;49;32;26 - 00;49;54;05
Ori Stein | CISO at TrustNet Security
If you are embedded in the organization as a CISO, you know the company. You know what makes the money, you know the critical systems, and you build a security program around protecting those risks. Then you can go to the board and say, we are managing risk at a level that is acceptable for this company. And if something is missing, you need to say clearly: to reduce this risk to an acceptable level, we need to invest X, Y, Z.
00;49;54;05 - 00;50;18;17
Ori Stein | CISO at TrustNet Security
But the board also needs to define what level of risk is acceptable. And that is the hard part. Boards and management struggle to quantify cyber risk. It is very hard to measure, because you can have thousands of events every day, and only one of them needs to succeed to shut the company down.
00;50;18;20 - 00;50;38;16
Jeremy Ladner | The CISO Signal
Right now, somewhere out there, there is a CISO who will end up in the next major public breach, whose company will be in the headlines for all the wrong reasons. What blind spots should CISOs be paying attention to today, to make sure they are not the ones in the headlines tomorrow?
00;50;38;19 - 00;51;00;14
Ori Stein | CISO at TrustNet Security
Today, one big blind spot is the cloud. It’s a bigger blind spot than on-prem environments, because when systems are on-prem, the security team and the SOC usually have visibility into everything. In the cloud it is different. Often the cloud is managed by developers, not by security people, and the security team may not have full visibility into what is happening there.
00;51;00;14 - 00;51;25;10
Ori Stein | CISO at TrustNet Security
Another issue is the way modern systems are integrated. Applications talk to each other through APIs, and everything is code-based. Sometimes someone hard-codes an API key, and that creates a weakness that is very hard to detect. Attackers can steal those keys and then just log in or access systems without needing to break in.
00;51;25;10 - 00;51;46;00
Ori Stein | CISO at TrustNet Security
There is a saying in the security community today: hackers don’t break in, they log in. They steal session cookies, for example. Everyone works through the browser, especially in the cloud, and if someone can steal your cookies, they can use them to log in as you, even if you have multi-factor authentication enabled.
00;51;46;00 - 00;51;50;03
Jeremy Ladner | The CISO Signal
Thank you very much. That's fantastic. I'm so grateful to have you on the show. It was a great conversation.
00;51;50;04 - 00;51;59;23
Ori Stein | CISO at TrustNet Security
Thanks Jeremy, it really was a pleasure meeting you, talking to you, and what you're doing is really awesome. I really hope that this thing, it's like a rocket.
00;51;59;25 - 00;52;30;08
Jeremy Ladner | The CISO Signal
After the fall. Cybersecurity often feels like a game of upgrades, stronger firewalls, tighter policies, new acronyms, new vendors, a never ending race to stay a few steps ahead. But sometimes it takes a breach not just of systems, but of confidence to realize the race itself might be flawed. Uber's breach wasn't the work of a nation state. It wasn't some high tech siege with zero days and cyber weapons.
00;52;30;08 - 00;53;01;10
Jeremy Ladner | The CISO Signal
It was something simpler, something human, a teenager with a gift for imitation, a company that trusted too quickly in a culture that, like so many others, confused access with security. The tools worked as designed. The alerts went out, the systems responded, but by the time the rules kicked in, the intruder had already rewritten them. We want our villains to wear masks and wield code like sorcery, but the truth is, the most dangerous attackers aren't magicians.
00;53;01;12 - 00;53;26;15
Jeremy Ladner | The CISO Signal
They're illusionists. They make you look over here while the real damage happens somewhere else. In Uber's case, the breach began with a push notification and ended with a post in Slack. Somewhere between those two points, a $1 billion security stack was made irrelevant by a few lines of PowerShell and a well-timed message on WhatsApp and yet, this story isn't about Uber.
00;53;26;18 - 00;53;52;11
Jeremy Ladner | The CISO Signal
It's about what happens when we assume we are safe, when we mistake complexity for strength, when we forget that the hardest problems don't live in code, they live in people. Because you can't patch human nature, you can only prepare for it, designed around it, and build systems that expect failure instead of just hoping to avoid it. The Uber breach didn't expose a flaw in the system.
00;53;52;11 - 00;54;07;09
Jeremy Ladner | The CISO Signal
It exposed the system. And so we must remain vigilant and always listening for The CISO Signal.
00;54;07;12 - 00;54;34;03
Jeremy Ladner | The CISO Signal
All episodes are based on publicly available reports, post-mortems, and expert analysis. While we've done our best to insure accuracy, some cybersecurity incidents evolve over time and not all details have been confirmed. Our goal is to inform and entertain, not to assign blame. Where facts are unclear, we've used cautionary language and we always welcome your corrections. Thanks for listening to The CISO Signal.
Comments