Back in September, two hacks involving huge organisations hit the headlines: Uber and Rockstar Games. By way of a memory refresher, Uber was the first to fall, and fall spectacularly.
The taxi, food delivery and car rental company suffered what can only be described as an extensive systems hack. The attackers got hold of an external Uber contractor’s login credentials, either through a successful phishing attempt, a credential-stuffing attack (where one leaked set of credentials is used against multiple sites and services to see if any of them match) or, as Uber itself has posited, a purchase from a dark web dealer in such things.
What happened next is clearer, as the threat actor himself has boasted about it. It boils down to what could soon become a familiar phrase: MFA fatigue attack. In a Telegram conversation, the hacker says he kept trying to log in with the stolen credentials, more than 100 times in fact, which meant the victim was getting bombarded with push authentication messages. You know, those that say “someone is trying to access your account, is this you?” They require the user to answer yes or no, select a number that’s also
