The hacking group apparently gained access to several internal Uber systems after stealing a third-party contractor’s credentials and then convincing the contractor to approve a two-factor authentication request.