Skip to main content
Irritation and MFA Fatigue Attack Lecture small business.

The latest cybersecurity news may make it seem like malicious actors will always be one step ahead of your IT department with new attack strategies like irritation, but keeping an eye on the security landscape can actually help your small business stay ahead of the curve as new attacks and strategies are deployed by hackers. Recently, Uber had a data breach, and a hacker was able to gain access to their network and cause quite a lot of damage. This news story is a great learning moment for how your business can improve its use of multifactor authentication (MFA) and avoid irritation attacks, which are also called MFA fatigue attacks.

How Did the Irritation Attack Work?

An 18-year-old hacker was able to gain access to Uber’s network by ‘irritating’ his way past the MFA defense on Uber accounts. First, the malicious actor needed valid credentials to attempt a login. Once his login attempt was successful, the hacker irritated the account owner into giving him access by repeatedly sending authentication requests for roughly an hour. The hacker then messaged the user directly and impersonated Uber IT, saying that if he accepted the MFA request, then they would stop. This combination of irritation and social engineering worked, and the user accepted the MFA request, giving the attacker access to Uber’s network.

According to Graham Cluley’s report of the attack, once the hacker was inside he, “scanned the company’s network and found a PowerShell script containing hardcoded credentials for a Thycotic PAM admin account.” This gave the attacker access to Uber’s sensitive internal information, which he posted pictures of to prove the theft. In response, Uber had to shut down its use of slack and other internal applications until they re-secured their network.

What Can Small Businesses Learn About Irritation Attacks?

This story has many lessons for small business cybersecurity, but the one front and center involves MFA. Multifactor authentication is an essential part of a strong security posture, but it is not immune to abuse. Uber had no limit on the number of push notification or calls that could be requested to authenticate, and this is what allows an irritation attack to happen. Your small business should look into how authentication requests can be limited, and your users should be trained to change their password the moment strange MFA activity is detected.

Lessons for Better Training

Another lesson small businesses can take away from this event is how the attacker ultimately got the user to accept. He posed as IT and offered a solution that seemed to make sense on the surface, which an irritated account owner will be willing to accept to make the requests stop. Your small business should set clear expectations for how IT will contact employees, even if they have to go outside of normal business communication channels. Having an expected process will help employees identify potential social engineering attacks and not respond to anyone claiming to be your IT department.


It’s never a good thing when a company suffers a security breach, but if businesses don’t learn from the mistakes of others, then the bad guys will have more victims. This irritation attack on Uber could happen to any company without the proper limitations on their MFA, and this is a good reminder that even with the best security layers in place, an attacker can still take advantage of the tools that keep your company safe. Here at Robinett Consulting, we believe that cybersecurity demands life long learning, and we value keeping our partners up to date with their cybersecurity tools and their threat landscape awareness!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting