Summary3 min read

Podcast Summary: Hacking Humans – "MFA prompt bombing (noun) [Word Notes]"

Podcast: Hacking Humans
Host: N2K Networks
Episode Title: MFA prompt bombing (noun) [Word Notes]
Episode Date: January 13, 2026

Overview

This episode of Word Notes on Hacking Humans dives into the cybercrime technique known as "MFA prompt bombing." The primary focus is on how attackers exploit human behavior to bypass multi-factor authentication (MFA) by bombarding users with repeated authentication prompts, leading them to eventually approve access out of annoyance or confusion. The episode explains the technical method, real-world examples, notable threat actors, and even draws a pop culture parallel to illustrate the concept.

Key Discussion Points & Insights

What is MFA Prompt Bombing?

Definition:
MFA prompt bombing involves flooding a user's device with repeated MFA prompts. Attackers who possess a compromised username and password repeatedly attempt to log in, generating a “blizzard” of authentication requests (01:23).
Purpose:
The hope is the legitimate user will, out of frustration or confusion, approve one of the prompts, granting attackers access.

"Hackers bypass multi factor authentication schemes by sending a blizzard of spamming login attempts until the account's owner accepts the MFA prompt out of desperation to make the spamming stop."
— Tim Nodar (01:33)
Behavioral Exploit:
The attack works because people dislike being pestered or inconvenienced, especially while tired or busy. Victims may assume it's merely an error or a legitimate IT process.

Real-World Tactics & Examples

Case Example:
"In the middle of the night, the victim, after receiving hundreds of MFA prompts on his phone, validated access to his account and went back to bed." — Tim Nodar (01:45)
Threat Actor Insights:
- Lapsus$ Quote:
  Dan Gooding of Ars Technica referenced a Lapsus$ member stating:
  
  "No limit is placed on the amount of calls that can be made. Call the employee 100 times at 1am or while he's trying to sleep, and he will more than likely accept it." — Quoted by Tim Nodar (03:10)
- Nation-State Usage:
  Russian cyber-espionage group APT29 (Cozy Bear) has been documented using MFA prompt bombing in targeted attacks, as observed by Mandiant researchers (03:30).

Pop Culture Illustration (Nerd Reference)

Sneakers (1992) Analogy: The podcast draws a parallel between the attack and a scene from the classic hacker film "Sneakers."
- Setup: River Phoenix and Robert Redford's characters attempt to get past a security guard, overwhelming him with simultaneous demands, confusion, and manufactured urgency.
- Parallel: The security guard, much like MFA users, faces an onslaught and ultimately complies just to make the problem go away.
- Quote:
  
  "Thanks. And that's MFA prompt bombing in the real world." — Tim Nodar (05:39)

Human Factors in Security

Key Insight:
The episode emphasizes that technology alone can’t secure systems if human response to unexpected annoyances is to simply give in and approve requests.

Memorable Quotes & Moments

On Annoyance as an Attack Vector:

"This hacking technique takes advantage of the fact that we all hate to be annoyed and inconvenienced."
— Tim Nodar (02:10)
Lapsus$ Member Tactics:

"Call the employee 100 times at 1am or while he's trying to sleep, and he will more than likely accept it."
— Quoted by Tim Nodar (03:14)
Sneakers Film Comparison:

"That's when Redford walks past the guard, up to the electronic door that's locked carrying a bundle of helium balloons and a birthday cake box and starts yelling at the guard to let him in."
— Tim Nodar (05:17)
Summary:

"That's MFA prompt bombing in the real world."
— Tim Nodar (05:39)

Notable Timestamps

01:23 — Definition and explanation of MFA prompt bombing
02:10 — Exploitation of human behavior (annoyance and confusion)
03:10–03:30 — Quoting Lapsus$ and referencing APT29’s use of this technique
04:52–05:39 — "Sneakers" movie analogy and live-action play-by-play
05:39 — Episode summary statement linking the analogy to modern cybercrime

Conclusion

The episode succinctly explains how MFA prompt bombing manipulates the weakest element in any security protocol: the human user. By overwhelming them with authentication prompts, attackers exploit user fatigue, inconvenience, and confusion to gain unauthorized access—often with startling ease. The "Sneakers" analogy grounds the abstract concept in a relatable, memorable cultural reference, driving home the importance of user vigilance and the limits of technical solutions alone.

Loading summary

Transcript30 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network powered by N2K.
[00:12]
Peter Kilpe
Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.
[01:23]
Tim Nodar
The word is MFA prompt bombing, Spelled M for multi, F for factor, A for authentication prompt, as in a Multi Factor Authentication notification, and bombing, as in sending repeated MFA prompts to a user's device. Hackers bypass multi factor authentication schemes by sending a blizzard of spamming login attempts until the account's owner accepts the MFA prompt out of desperation to make the spamming stop. Example sentence in the middle of the night, the victim, after receiving hundreds of MFA prompts on his phone, validated access to his account and went back to bed. Origin and Context this hacking technique takes advantage of the fact that we all hate to be annoyed and inconvenienced. After an attacker steals a victim's username and password, they repeatedly attempt to log in as the victim, which sends a Multi Factor Authentication request to the victim's second factor, usually his mobile device. Users who aren't paying attention get frustrated with the volume of authentication requests and just to make it go away, they approve it. They might assume it's just an error, or maybe an IT employee at their company trying to log into their account. Regardless, they can't be bothered and accept the request. Dan Gooding at Ars Technica quotes a member of the Lapsus cybercrime group as saying, no limit is placed on the amount of calls that can be made. Call the employee 100 times at 1am or while he's trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device. Nation state actors have also been observed using this technique. Researchers at Mandia note that the Russian threat actor APT29 also known as Cozy Bear, has successfully used MFA prompt bombing in its own campaign. Nerd reference. The 1992 movie Sneakers, one of the all time great hacker movies, has the perfect scene that demonstrates real life MFA prompt bombing. By the way, the movie was written by the guys who wrote another all time great hacker movie, War Games. Lawrence Lasker and Walter Parks in this scene. Robert Redford, probably best known to this audience for Endgame and Captain Winter Soldier and River Phoenix, probably best known for Indiana Jones and the Last Crusade he played the young Indiana Jones, are trying to get past a security guard and an electronic lock. Two factors. The scene opens with River Phoenix dressed as a delivery man standing in front of the security guard with a stack of Drano boxes, claiming that he has a work order to deliver them to the top floor. The security guard doesn't have him on the access list and is having none of it. The two get into a heated argument. That's when Redford walks up to the counter with some lame story about his wife delivering the birthday cake and the balloons.
[04:52]
John Petrick
Listen, I'm sorry. They didn't have anything on record.
[04:54]
Rick Howard
Hold on a second.
[04:55]
Peter Kilpe
I got this.
[04:56]
John Petrick
Did my wife drop the cake off for me?
[04:57]
Tim Nodar
I want cake.
[04:58]
John Petrick
There's no cake back here for March.
[05:00]
Peter Kilpe
On the second floor.
[05:00]
John Petrick
She was supposed to drop a cake off.
[05:02]
Peter Kilpe
I dropped.
[05:02]
John Petrick
Don't worry about it.
[05:04]
Peter Kilpe
There she is.
[05:05]
John Petrick
Ladies.
[05:05]
Peter Kilpe
You okay?
[05:06]
Rick Howard
Well, it states right here very clearly that I am to deliver 36 boxes of liquid draining to this here address.
[05:11]
John Petrick
I don't care what that says. If you're not on the list, you can't get in.
[05:13]
Rick Howard
I do have a problem with you.
[05:14]
Peter Kilpe
You can't get.
[05:15]
Rick Howard
I might lose my job.
[05:16]
Tim Nodar
That's not my problem.
[05:17]
John Petrick
Kidnapped.
[05:17]
Tim Nodar
That's when Refert walks past the guard, up to the electronic door that's locked carrying a bundle of helium balloons and a birthday cake box and starts yelling at the guard to let him in.
[05:29]
John Petrick
I can't reach my cart. I can't reach my cars. Wait one minute.
[05:33]
Tim Nodar
Buzzer.
[05:34]
John Petrick
Okay, we're late for the party on the second floor.
[05:36]
Rick Howard
Please push the goddamn buzzer, will ya?
[05:39]
Tim Nodar
Thanks. And that's MFA prompt bombing in the real world. Word Notes is written by Tim Nodar, executive produced by Peter Kilpie and edited by John Petrick and me, Rick Howard. The mixed sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening. Foreign.
[06:26]
Peter Kilpe
If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd. Through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.