The 2 A.M. Approval: How MFA Fatigue Let an Attacker Walk Right In

Here is the uncomfortable part: this business had done the thing everyone tells you to do. It had turned on multi-factor authentication. And it still got breached, because the attacker did not try to beat the MFA. They just asked the employee to approve it, over and over, until they did.

The setup

An employee’s password had leaked in an unrelated breach and ended up in a credential dump. The attacker had a valid password but hit the MFA prompt at login. The account was set up with “push” notifications, the kind where your phone buzzes and you tap “approve” to sign in. That convenience became the weakness.

The trigger

The attacker logged in again and again, firing off a push notification each time. The employee’s phone buzzed at dinner, then during a meeting, then at 2 a.m. Annoyed and half asleep, assuming it was a glitch, they finally tapped “approve” to make it stop. That single tap handed the attacker a logged-in session. This is called an MFA fatigue or push-bombing attack, and it has been behind several high-profile breaches.

Why it worked

  • A reused, leaked password. The attacker started with a real credential.
  • Simple “approve” push prompts. A one-tap approval is easy to grant by mistake under pressure.
  • No limit on prompts. Dozens of approval requests in a row should have locked the account, not kept asking.
  • No training on the tactic. The employee did not know that an unexpected flood of prompts is an attack in progress.

The fix, and what it would have cost

Switching from simple “approve” prompts to number matching (where you type a code shown on screen), adding a cap on repeated prompts, and a five-minute briefing that says “never approve a prompt you did not start” would have stopped this cold. A phishing-resistant method such as a hardware key or passkey is stronger still. The fixes are free or close to it. The breach meant a forced password reset across the company, an investigation, and weeks of worry about what the attacker had seen.

MFA is still essential. It just has to be set up the right way. Our Playbook on multi-factor authentication walks through how.