On September 15 of 2022, Uber was hacked due to a vulnerability in their multi factor authentication system (MFA). This article will discuss what happened, and how you can protect yourself from MFA fatigue in the future.
Uber hacker announces in Uber’s internal Slack
“I announce i am a hacker and uber has suffered a data breach,” the message said.
It is unclear the extent of the breach, though I am sure it will become clear overtime. Last time Uber was hacked in 2016, the hacker obtained personal information of 57 million people as well as 600,000 of the US drivers.
The entry point of this hack, appears to have been MFA Fatigue.
What is MFA Fatigue?
MFA fatigue is when your Multi Factor Authentication app prompts you quicky and repeatedly on your mobile phone to authorize a log in. This does mean that the hacker already has your credentials obtained either by purchasing on the dark web, or through the hackers own methods.
MFA fatigue can happen to anyone who uses an MFA app, such as Google Authenticator, Duo, Okta, Authy, or Microsoft Authenticator. It is important to note that this is not a weakness in the MFA protocol itself, but rather a user error albeit one that we are all suspectable to if push notifications are turned on in your MFA app.
How to protect yourself from MFA Fatigue?
Disable MFA app push notifications. Yes, I know, it does mean you have to make one or two additional clicks to open your MFA app instead of proactively being prompted, but it is a small price to pay, especially considering all the clicking we all already do.
The surest way to disable it, is to go to your mobile notifications setting, and ensure all authentication app’s have notifications turned off.
If you are you in a business setting, your IT department or IT firm “should” be applying best practices and eliminating push notifications at a company level. Hopefully your IT department or IT firm is ISO 27001 certified, and proactively addressing risks, of which MFA Fatigue is just one.
Though the Uber hack is unfortunate, having such a public company be visibly hacked, serves as a lesson that the rest of us can apply and prevent being hacked ourselves.