Value Aligners
Get protected

The 2 A.M. Approval: How MFA Fatigue Let an Attacker Walk Right In

Here is the uncomfortable part: this business had done the thing everyone tells you to do. It had turned on multi-factor authentication. And it still got breached, because the attacker did not try to beat the MFA. They just asked the employee to approve it, over and over, until they did.

The setup

An employee’s password had leaked in an unrelated breach and ended up in a credential dump. The attacker had a valid password but hit the MFA prompt at login. The account was set up with “push” notifications, the kind where your phone buzzes and you tap “approve” to sign in. That convenience became the weakness.

The trigger

The attacker logged in again and again, firing off a push notification each time. The employee’s phone buzzed at dinner, then during a meeting, then at 2 a.m. Annoyed and half asleep, assuming it was a glitch, they finally tapped “approve” to make it stop. That single tap handed the attacker a logged-in session. This is called an MFA fatigue or push-bombing attack, and it has been behind several high-profile breaches.

Why it worked

  • A reused, leaked password. The attacker started with a real credential.
  • Simple “approve” push prompts. A one-tap approval is easy to grant by mistake under pressure.
  • No limit on prompts. Dozens of approval requests in a row should have locked the account, not kept asking.
  • No training on the tactic. The employee did not know that an unexpected flood of prompts is an attack in progress.

The fix, and what it would have cost

Switching from simple “approve” prompts to number matching (where you type a code shown on screen), adding a cap on repeated prompts, and a five-minute briefing that says “never approve a prompt you did not start” would have stopped this cold. A phishing-resistant method such as a hardware key or passkey is stronger still. The fixes are free or close to it. The breach meant a forced password reset across the company, an investigation, and weeks of worry about what the attacker had seen.

MFA is still essential. It just has to be set up the right way. Our Playbook on multi-factor authentication walks through how.

Don’t wait for a breach to find your gaps. Value Aligners matches your business to the right cybersecurity tools in minutes — free.

Get My Free Assessment

Response

  1. Playbook: Multi-Factor Authentication Done Right (And Why SMS Is Not Enough) – Cybersecurity Breach Stories

    […] why setup matters in this story of a business that had MFA on and still got breached. Want to know which accounts in your business are still unprotected? Start with a free […]

    Like

    Reply

Leave a comment

Don’t wait for a breach to find your gaps. Value Aligners matches your business to the right cybersecurity tools in minutes — free.

Get My Free Assessment