Hacking Humans MFA prompt bombing (noun) [Word Notes]
Jan 13, 2026
Explore the intriguing tactic of MFA prompt bombing, where attackers overwhelm users with constant authentication requests until they give in. Hear a vivid example of a user approving endless prompts out of sheer frustration. Discover how cybercriminals exploit this weakness, referencing real-world cases like Lapsus group activities. Enjoy a fun analogy comparing the technique to a scene from the movie 'Sneakers', highlighting the persistence needed to bypass security. This session dives deep into user psychology and the vulnerabilities cyber attackers exploit.
AI Snips
Chapters
Transcript
Episode notes
Human Annoyance Is The Attack Vector
- MFA prompt bombing exploits human annoyance to bypass multi-factor protections through repeated prompts.
- Attackers rely on users approving prompts just to stop the nuisance rather than verifying the request.
Avoid Approving Unexpected Prompts
- Don't approve unexpected MFA prompts; treat repeated prompts as a sign of compromise.
- Verify with your IT team or use alternative recovery channels before accepting any suspicious request.
Lapsus' Nighttime Harassment Trick
- The Lapsus group bragged they place no limit on calls and will call an employee 100 times at 1 a.m. to force acceptance.
- Once accepted, attackers can enroll another device via the MFA portal and take over the account.