A growing number of high-profile breaches aren't the result of a complex, zero-day exploit. They're a simple, psychological trick: MFA Fatigue. Here’s the anatomy of the attack: The Steal: The hacker first acquires a valid employee password, likely from a previous data leak. The Spam: They then try to log in, triggering an "Approve" notification on the employee's phone. And then they do it again. And again. And again—sometimes dozens of times, often in the middle of the night. The "Fatigue": The employee, annoyed, confused, or just wanting the notifications to stop, finally taps "Approve" to make it all go away.
You can write as much as you want, and the text will wrap naturally within the "terminal" window.
In that instant, the hacker is in.
The Takeaway: MFA is still 100% essential, but it's not a silver bullet. This attack proves that the "human element" is the most critical part of your defense. It's time to upgrade from simple "Approve/Deny" notifications. Services that require you to type in a matching number or a one-time code are far more resilient. Most importantly, employees need to be trained that a flood of login requests is not an annoyance—it's an active security incident.
- MFA is still 100% essential.
- Use matching number MFA.
- Do not use the same password.
Source: PwnSentinel: "How Do We Stop MFA Fatigue Attacks in 2025?" https://pwnsentinel.org/2025/05/26/how-do-we-stop-mfa-fatigue-attacks/