LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is MFA Fatigue, and how was it used in the 2022 Uber breach?

MFA Fatigue (aka MFA Bombing/Push Spam) is a social engineering attack where the attacker repeatedly triggers MFA push notifications until the victim approves one out of frustration or confusion.

The Uber Breach (September 2022):

  • Attacker (Lapsus$ group) obtained an Uber contractor's credentials (likely from the dark web after a prior breach)
  • Bombarded the contractor with MFA push notifications repeatedly
  • Eventually contacted the victim on WhatsApp, posing as Uber IT support, saying they needed to approve the notification to stop the spam
  • The contractor approved → attacker gained access to Uber's internal network

Why it works:

  • Exploits human fatigue and annoyance rather than technical flaws
  • MFA itself isn't broken — the human factor is the weak point
  • Push-based MFA is particularly vulnerable (approve/deny is just a tap)

Defenses:

  • Use number-matching MFA (user must type a code displayed on the login screen)
  • Implement rate limiting on MFA prompts
  • Use FIDO2/hardware keys instead of push notifications
  • Train users to report unsolicited MFA prompts immediately

Go deeper:

From Quiz: INTROL / Open Your Mind – Creative Thinking for Problem Solving | Updated: Jul 05, 2026