If You Receive An Unprompted MFA OTP Code, You’ve Likely Have Been Pwned
I was recently called by a client to debug why they were getting emails like this randomly:
Now this email, or one like it, or a text message, or a smartphone notification is sent to you when you try to log into account that is protected by Multi Factor Authentication or MFA. It’s one-time passcode or OTP) that combined with a password allows you to log into an account. And if you get emails like this out of the blue when you’re not trying to log into said account, it means that someone has gotten their hands on your password and is trying to log into the account. But they were stopped by the fact that you had MFA enabled on your account.
The fix for this is simple. You should immediately change the password. And if you have other accounts that use the same password, you should change those as well immediately.
Top Tip#1: Change your password by going directly to the site and not clicking on anything in the email.
Top Tip #2: if you get a smartphone notification to approve a request to login that you did not initiate, immediately decline the request and change your password ASAP.
So the question is, how did the bad guy get their hands on your password. The answer is simple, it was likely obtained in a data breach of some sort, or in a phishing attack, or via malware. And the bad guy is using it in what is called a credential stuffing attack where they try a password that they obtained in an attack on multiple sites hoping to get lucky. And they did, sort of. But got stopped by MFA and OTP being enabled on the account. Thus showing the value of MFA as well as OTP been enabled on all your online accounts. Thus if you want to maximize the security of your online accounts, enable MFA and OTP if either is offered. That way if your password ever leaks, you will still have some degree of security in place.
This entry was posted on December 18, 2023 at 9:06 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
If You Receive An Unprompted MFA OTP Code, You’ve Likely Have Been Pwned
I was recently called by a client to debug why they were getting emails like this randomly:
Now this email, or one like it, or a text message, or a smartphone notification is sent to you when you try to log into account that is protected by Multi Factor Authentication or MFA. It’s one-time passcode or OTP) that combined with a password allows you to log into an account. And if you get emails like this out of the blue when you’re not trying to log into said account, it means that someone has gotten their hands on your password and is trying to log into the account. But they were stopped by the fact that you had MFA enabled on your account.
The fix for this is simple. You should immediately change the password. And if you have other accounts that use the same password, you should change those as well immediately.
Top Tip #1: Change your password by going directly to the site and not clicking on anything in the email.
Top Tip #2: if you get a smartphone notification to approve a request to login that you did not initiate, immediately decline the request and change your password ASAP.
So the question is, how did the bad guy get their hands on your password. The answer is simple, it was likely obtained in a data breach of some sort, or in a phishing attack, or via malware. And the bad guy is using it in what is called a credential stuffing attack where they try a password that they obtained in an attack on multiple sites hoping to get lucky. And they did, sort of. But got stopped by MFA and OTP being enabled on the account. Thus showing the value of MFA as well as OTP been enabled on all your online accounts. Thus if you want to maximize the security of your online accounts, enable MFA and OTP if either is offered. That way if your password ever leaks, you will still have some degree of security in place.
Share this:
Like this:
Related
This entry was posted on December 18, 2023 at 9:06 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.