What the Uber Breach Teaches Us About Identity Hygiene

Read full article here: https://www.p0.dev/blog/uber-breach/?source=nhimg

On December 1, 2022, Uber experienced a breach linked to the Lapsus$ extortion group. The attacker’s path into Uber’s environment illustrates a chain of well-known but often poorly controlled identity security weaknesses:

1. Malware infection on a contractor’s device exposed corporate credentials.
2. Stolen credentials were purchased on the dark web.
3. MFA fatigue attack tricked the contractor into approving a fraudulent login.
4. Slack access was gained, allowing the attacker to move laterally.
5. Plaintext admin credentials were discovered in internal PowerShell scripts.
6. Privilege escalation followed, leading to AWS and GCP access via Uber’s PAM (Thycotic) system.

Each stage reflects the growing attack surface of cloud-native enterprises, where users, apps, credentials, and workloads multiply faster than traditional identity practices can keep up.

Why It Matters

This incident wasn’t just about one weak point. It exposed systemic gaps in identity hygiene:

• Overprivileged accounts: Admin credentials existed where they shouldn’t.
• Weak enforcement of least privilege: Broad, persistent access instead of scoped, time-bound rights.
• Poor credential hygiene: Sensitive keys stored in plaintext scripts.
• Siloed teams: Security practices clashed with developer speed, leading to shortcuts.

Uber is far from alone. The same conditions exist in most enterprises, where developers hardcode admin credentials “just to get something done” and security teams struggle to enforce granular, context-aware controls across sprawling stacks.

Key Lessons for Identity Hygiene

The Uber breach highlights that identity is now the primary attack vector, especially in cloud-native ecosystems:

1. Ephemeral, Just-in-Time Access - Admin rights should never be persistent. Grant only when needed, for as short a duration as possible.
2. Secrets Management with Identity Context - Vaults are not enough. Organizations must track who owns a secret, how it’s used, and whether it aligns with least privilege.
3. Developer-friendly Security - If controls break workflows, developers bypass them. Security must embed into the CLI and IDE, working with velocity, not against it.
4. Unified Security + Identity Strategy - IAM, PAM, and DevOps tooling must converge around lifecycle management of both human and non-human identities.

The Bigger Picture

The breach also foreshadows the next wave of identity risk. Non-human identities (NHIs) such as service accounts, tokens, workloads, and increasingly AI agents, already outnumber humans 10–50x in most organizations. If hardcoded secrets and broad admin access are dangerous today, the rise of autonomous AI workflows will magnify this risk.

Uber’s story shows that identity hygiene failures in traditional DevOps can already cascade into multi-cloud compromise. Add in AI-driven services making autonomous decisions with credentials, and the stakes multiply. Enterprises must adopt NHI-aware security frameworks that treat machine identities with the same rigor once reserved for human accounts.

Bottom Line

Uber’s breach was not a failure of technology availability, it was a failure of identity discipline. The lesson is clear: without strict identity hygiene, least privilege, and NHI-aware lifecycle management, even well-resourced enterprises will remain vulnerable in the cloud-native era.