How Hackers Bypass MFA and What You Can Do About It

Earlier this year, Google’s cybersecurity subsidiary, Mandiant, fell victim to a scam. An attacker hacked the company’s account on X (formerly known as Twitter) and used it to commit cryptocurrency fraud, scamming many users.

It turns out that multi-factor authentication (MFA) is not a foolproof solution, even for cybersecurity companies, let alone regular users. Hackers can bypass MFA using several techniques that have proven to be effective.

Advanced Malware and Data Theft

In January, a researcher from Malwarebytes Labs explained how Google’s MFA system can be bypassed. Simply put, stealing an authentication token is enough. Hackers can do this by using an information-stealing Trojan to collect data from the victim's system. The consequences of such an attack can be severe, and even changing the password won’t help the victims.

One example of such malware is Meduza Stealer, which extracts data from hundreds of browsers, MFA apps, crypto wallets, and password managers. This tool is distributed through subscriptions to select hackers and receives regular signature updates, making it difficult for antivirus software to detect.

Generally speaking, data interception software is one of the most common methods used to bypass multi-factor authentication. This tactic is as old as the hacker world itself, yet it remains highly effective.

Thanks to malware, attackers can also intercept emails, often obtaining one-time access codes for targeted accounts. Typically, users don’t notice these messages and only realize their accounts have been compromised when it’s too late.

Intercepting notifications from an authentication app on the victim’s smartphone works similarly. Spyware is installed on mobile devices to capture SMS messages containing MFA data.

Keyloggers, which are tools installed on victims’ devices to record keystrokes when entering login credentials and passwords, are another common method used by hackers to compromise accounts.

Hackers used this method to access customer data on LastPass, a paid platform for storing passwords. It was revealed that they installed a keylogger on the personal computer of one of the company's engineers to break into the LastPass storage. If LastPass is supposed to protect our passwords, then who will protect the protectors?