In mid-September 2022, two of the year's most high-profile corporate intrusions, the breach of ride-hailing giant Uber Technologies, Inc. and the leak of in-development footage of Rockstar Games' Grand Theft Auto VI, were publicly linked to the same threat actor operating under the moniker "teapotuberhacker." The username itself, a portmanteau of "teapot," "Uber," and "hacker," was effectively a signed confession, planting the connection between the two intrusions before investigators had to assemble the timeline themselves. The breaches occurred within a single working week, shared overlapping tradecraft (social engineering, multi-factor authentication fatigue, abuse of internal collaboration platforms), and were ultimately attributed by Uber and law enforcement to a member of the loosely organised extortion crew known as Lapsus$ (Uber, 2022; The Guardian, 2022).
Uber publicly acknowledged a "cybersecurity incident" on the evening of 15 September 2022, after the intruder posted a message in Uber's company-wide Slack channel announcing, "I announce I am a hacker and Uber has suffered a data breach" (The Verge, 2022). Many Uber employees initially mistook the announcement for an internal prank, responding with siren emoji and reaction GIFs until IT staff intervened (The Verge, 2022). The attacker also reconfigured Uber's OpenDNS to display an explicit graphic on several internal sites, ensuring the breach was unmistakable to everyone in the company (Uber, 2022).
Uber's post-incident statement reconstructed the intrusion chain as follows: an EXT contractor's Uber corporate credentials were almost certainly purchased on a dark-web marketplace after the contractor's personal device was infected with information-stealer malware; the attacker then repeatedly attempted to authenticate, triggering a stream of multi-factor push notifications until the fatigued contractor approved one (Uber, 2022). This technique, commonly referred to as "MFA fatigue" or "push bombing," granted the attacker an initial foothold on Uber's VPN. From there, the actor pivoted laterally, locating a PowerShell script on an internal share that contained hard-coded administrative credentials for a privileged-access management (PAM) solution, which in turn unlocked single sign-on tokens to G-Suite, Slack, AWS, GCP, HackerOne, and internal finance tooling (The Verge, 2022; Uber, 2022). Uber stated that no production systems, customer payment data, or trip histories were accessed, though internal Slack messages and finance invoices were exfiltrated, and the attacker did obtain access to vulnerability reports submitted to Uber's HackerOne bug-bounty programme (Uber, 2022).
Three days after the Uber announcement, on 18 September 2022, a user calling themselves "teapotuberhacker" posted 90 video files containing roughly 50 minutes of work-in-progress Grand Theft Auto VI footage to GTAForums (The Guardian, 2022). The clips revealed a contemporary Vice City setting, the dual protagonists later confirmed as Lucia and Jason, animation tests, gameplay prototypes, and dialogue between characters. In the same forum thread, the poster explicitly claimed responsibility for "the recent Uber hack" and stated the GTA files had been pulled directly from Rockstar's internal Slack workspaces, threatening to release the GTA V and GTA VI source code and game build unless Rockstar's parent, Take-Two Interactive, negotiated (The Guardian, 2022). Bloomberg's Jason Schreier verified the authenticity of the footage with sources inside Rockstar within hours, and Take-Two issued mass DMCA takedowns to YouTube, Reddit, and GTAForums (The Guardian, 2022).
The link between the two incidents rests on four converging strands of evidence. First, the actor self-attributed: the chosen handle "teapotuberhacker," the explicit claim of responsibility for the Uber intrusion in the GTAForums post, and contemporaneous direct messages to security researchers all pointed to a single individual or tightly coordinated pair (The Guardian, 2022; The Verge, 2022). Second, the tradecraft matched: in both cases the attacker exploited stolen or social-engineered credentials, abused MFA push notifications, and proceeded to ransack Slack as the principal exfiltration channel, behaviours catalogued by analysts as signatures of the Lapsus$ collective (Uber, 2022). Third, Uber's own 19 September update explicitly attributed its breach to "an attacker (or attackers) affiliated with a hacking group called Lapsus__CONTENT__quot; and acknowledged "reports⦠that this same actor breached video game maker Rockstar Games," coordinating with the FBI and US Department of Justice (Uber, 2022). Fourth, GTAForums moderators concluded from posting patterns and IP-address evidence that the "teapotuberhacker" account was operated primarily by an actor called "Teapot," with a secondary collaborator "Lily" attempting to monetise GTA V source code (The Guardian, 2022).
On 22 September 2022, four days after the GTA leak, the City of London Police, supported by the UK National Cyber Crime Unit and US federal agencies, arrested a 17-year-old from Oxfordshire who was identified in subsequent reporting as both "teapotuberhacker" and a senior member of Lapsus$ (The Guardian, 2022). The teenager, Arion Kurtaj, was already on police bail and under protective custody at a Travelodge hotel following earlier intrusions at EE and Nvidia; according to evidence presented at Southwark Crown Court, he carried out the Rockstar breach from the hotel using only a mobile phone, a hotel television, and an Amazon Fire TV Stick (The Guardian, 2022). In mid-2023, a jury determined that Kurtaj had committed twelve offences, including six counts of computer misuse, three of blackmail, and two of fraud; he was deemed unfit to plead due to autism and placed under an indefinite hospital order in December 2023 (The Guardian, 2022). Rockstar later reported that recovering from the incident cost approximately US$5 million and many thousands of staff hours (The Guardian, 2022).
The Uber breach is therefore not a peripheral footnote to the GTA VI leak; it is the direct precursor that established the actor's tradecraft, demonstrated the scale of damage achievable through SaaS credential abuse, and provided the public reputational platform on which "teapotuberhacker" advertised the Rockstar intrusion only days later. For Rockstar, the connection meant the attacker was already known to multiple national law enforcement bodies before the GTA footage appeared, materially accelerating the investigation. For the wider industry, the back-to-back Uber and Rockstar incidents became the canonical case studies illustrating how MFA-fatigue attacks against contractor accounts can cascade through interconnected collaboration platforms into catastrophic intellectual-property exposure (Uber, 2022; The Verge, 2022).
The Guardian (2022) Rockstar owner issues takedowns after Grand Theft Auto VI leak. Available at: https://www.theguardian.com/games/2022/sep/19/rockstar-owner-issues-takedowns-after-grand-theft-auto-vi-leak (Accessed: 14 May 2026).
The Verge (2022) Uber apparently hacked by teen, employees thought it was a joke. Available at: https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell (Accessed: 14 May 2026).
Uber (2022) Security update. Uber Newsroom, 19 September. Available at: https://www.uber.com/newsroom/security-update/ (Accessed: 14 May 2026).
Wikipedia (2026) Grand Theft Auto VI. Available at: https://en.wikipedia.org/wiki/Grand_Theft_Auto_VI (Accessed: 14 May 2026).