MFA Fatigue: How Hackers Breached Uber, Microsoft, and Cisco

The tactic, which has been utilized by the hacking group Lap$us, preys on users getting frustrated by endless notifications.
Aaron Drapkin

A relatively new social engineering technique commonly known as “MFA Fatigue” has been successfully used to compromise employee accounts at large corporations like Uber, Microsoft, and Cisco.

The technique exploits Multi-Factor Authentication (MFA) solutions that send users sign-in approval notifications after account access attempts – as well as the fact humans tend to get frustrated by endless streams of messages.

This attack still requires stolen account credentials, so ensuring you have a strong password is paramount, and using a password manager to facilitate this is always advised.

MFA Fatigue: A Novel Hacking Tactic

Your business is vulnerable to MFA fatigue attacks if the multi-factor authentication method your employees use is configured to send “approve sign-in” notifications to their phones or other devices.

In an MFA Fatigue Attack, a hacker will make multiple attempts to log into a given user account configured with multi-factor authentication, using stolen credentials, sending an endless stream of sign-in approval requests to the user's device.

Alongside bombarding the target with notifications, hackers have reportedly sent emails in which they pretend to be IT support, in a further effort to convince the user that the messages are legitimate requests they need to deal with.

The intention is that the victim finally approves the request out of pure frustration, or is convinced they’ve been asked to do so by their tech team.

Other Authentication-Busting Techniques

We’d still advise activating two-factor authentication – and even better, multi-factor authentication – on any accounts you have.

An extra layer of security is always good – it’s better than not having it, after all – but it’s not the failsafe system it was once touted to be. However, there are more and less secure ways to configure it.

SIM-Swapping, for example, is a tactic hackers have previously used to gain unauthorized access to crypto wallets with two-factor authentication activated.

It involves phoning up a phone carrier and convincing them to swap a target’s phone number to a SIM controlled by the hacker, meaning two-factor authentication codes sent via text are redirected there instead.

This is why it’s generally advised to use an authenticator app like Google Authenticator to get your codes sent to your device rather than a phone number.

How Do I Beat MFA Fatigue Attacks?

If you’re being sent an endless stream of MFA notifications relating to your employee accounts with your company, contact your IT department.

Security experts also recommend disabling push notifications and simple “approve sign-in” requests, and instead opting for a more secure method of numerical codes sent to your phone or an authentication app.

On some systems, you can also limit the number of MFA requests that can be made, such that when a threshold is met, no more can be sent.

Of course, as this only works with stolen account credentials, the first line of defense is a strong, unique password – and there’s no better way to ensure you have one than a password manager. Using one, along with an authenticator app and a configured MFA request threshold (if possible), is the safest way forward.

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals