MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You

Staff Editor 2026-05-26
MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You

MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You

https://thehackernews.com/2026/05/mfa-prompt-bombing-why-your-second.html

Publish Date: 2026-05-26 06:30:00

Source Domain: thehackernews.com

Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn’t log in without the second factor. While that logic was sound, attackers have now figured out that they don’t need to steal the second factor: they just need the user to hand it over.

If your workforce authenticates with push-based MFA, this attack is a live threat to your organization today. Tools like Specops Secure Access are built specifically to close that gap, but before getting into the fix, it’s worth understanding how this technique works.

How MFA prompt bombing works

The attack requires three key elements to work:

  • Valid account credentials, usually sourced from breached password dumps on the dark web
  • A login portal that uses push-based MFA (such as a VPN, Microsoft 365, Okta, or Duo)
  • A victim who is alerted every time the attacker tries the login

Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request. Sometimes, attackers will pair prompt bombing with a vishing call pretending to be from IT, where they will try to socially engineer the target. The danger is that these methods only need to work once.

If the prompt is approved, the attacker is logged in as that user. Security systems typically won’t be alerted, as the login looks entirely legitimate.

The Cisco breach

The 2022 Cisco breach is a key example of how effective this technique is against even mature security programs. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee’s personal Google account, which was syncing browser-stored credentials, including the employee’s Cisco VPN password.

From there, the attacker pushed MFA prompts to the employee’s phone. That initially didn’t work, so they began using vishing calls posing as trusted support organizations, speaking in various accents, and eventually convincing the…

Source

More Stories

Opal Security Raises Million for AI-Native Identity Governance

Opal Security Raises $23 Million for AI-Native Identity Governance

Staff Editor 2026-06-06
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06
Franklin Student is a Cyber Security Champ at Bridgewater State

Franklin Student is a Cyber Security Champ at Bridgewater State

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy