1 / 27
Other keys: show •
Space: good •
1-4: rate •
0: skip •
5: flag •
6: invert
Question
What is MFA Fatigue, and how was it used in the 2022 Uber breach?
Answer
MFA Fatigue (aka MFA Bombing/Push Spam) is a social engineering attack where the attacker repeatedly triggers MFA push notifications until the victim approves one out of frustration or confusion.
The Uber Breach (September 2022):
- Attacker (Lapsus$ group) obtained an Uber contractor's credentials (likely from the dark web after a prior breach)
- Bombarded the contractor with MFA push notifications repeatedly
- Eventually contacted the victim on WhatsApp, posing as Uber IT support, saying they needed to approve the notification to stop the spam
- The contractor approved → attacker gained access to Uber's internal network
Why it works:
- Exploits human fatigue and annoyance rather than technical flaws
- MFA itself isn't broken — the human factor is the weak point
- Push-based MFA is particularly vulnerable (approve/deny is just a tap)
Defenses:
- Use number-matching MFA (user must type a code displayed on the login screen)
- Implement rate limiting on MFA prompts
- Use FIDO2/hardware keys instead of push notifications
- Train users to report unsolicited MFA prompts immediately
Go deeper:
MFA fatigue attack (Wikipedia) — push-bombing, the Lapsus$ Uber breach, and the number-matching mitigation.
or press any other key
Note saved — thanks!