Uber: MFA Bombing Attack

Love may conquer all, but apparently MFA won’t. That pesky human factor again.

Unmanaged risk surrounding the use of cloud services and too much trust in MFA contributed to factors leading to notorious hacking group Lapsus$ breached multiple internal systems at Uber. Lapsus$ are high profile hackers who seemingly have targeted Cisco, Microsoft, Nvidia, Okta, and Samsung. 

After illegally obtaining login credentials of an external contractor, attackers bombarded the login page with login attempts, prompting the contractor to receive endless MFA verification requests. When the contractor denied those requests, the attackers contacted him via WhatsApp posing as Tech support. They convinced him to allow the MFA request in order to stop the flow of appeals- allowing the attackers to enter.

MFA Bombing is the process of entering numerous login attempts, prompting the MFA requests until the victim either ‘allows’ by mistake, or through sheer frustration. It takes one lapse of judgment or moment of weakness to open a door for the hackers who have been knocking patiently and consistently.

MFA is an important layer of security that should indeed be implemented, but it is not fool-proof. Use of an authenticator app, security key, or biometrics are stronger and more effective methods than SMS or one-touch verification to protect your accounts, due to the risk of MiTM (Man in The Middle) attacks. 

The complex integrations of SaaS or Cloud services open up the floor to vulnerabilities or mismanagement and extra care needs to be taken for your organization’s security! Invest in your security – implement best practices, use foundational frameworks and guidelines, undergo comprehensive risk assessments, and do it with the cutting edge risk and compliance management platform, Centraleyes.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Skip to content