LOGBOOK

HELP

1 / 27
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert

Question

What is MFA Fatigue, and how was it used in the 2022 Uber breach?

Answer

MFA Fatigue (aka MFA Bombing/Push Spam) is a social engineering attack where the attacker repeatedly triggers MFA push notifications until the victim approves one out of frustration or confusion.

The Uber Breach (September 2022):

  • Attacker (Lapsus$ group) obtained an Uber contractor's credentials (likely from the dark web after a prior breach)
  • Bombarded the contractor with MFA push notifications repeatedly
  • Eventually contacted the victim on WhatsApp, posing as Uber IT support, saying they needed to approve the notification to stop the spam
  • The contractor approved → attacker gained access to Uber's internal network

Why it works:

  • Exploits human fatigue and annoyance rather than technical flaws
  • MFA itself isn't broken — the human factor is the weak point
  • Push-based MFA is particularly vulnerable (approve/deny is just a tap)

Defenses:

  • Use number-matching MFA (user must type a code displayed on the login screen)
  • Implement rate limiting on MFA prompts
  • Use FIDO2/hardware keys instead of push notifications
  • Train users to report unsolicited MFA prompts immediately

Go deeper:

Various hardware security tokens. On the left and the middle two variants of the YubiKey and on the right a FIDO token from Feitian Technologies [de]
Various hardware security tokens. On the left and the middle two variants of the YubiKey and on the right a FIDO token from Feitian Technologies [de]
Tony Webster from Minneapolis, Minnesota, United States · CC BY 2.0 · Wikimedia Commons
or press any other key