A recent report from Truffle Security uncovered over 12,000 active API keys and passwords embedded within Common Crawl, a dataset used to train large language models (LLMs). These leaked credentials provided attackers unrestricted access to corporate networks and sensitive databases, completely bypassing multi-factor authentication (MFA).
"Multi-factor authentication is a great idea and an effective control, but realistically, it's nearly impossible for organizations to implement everywhere consistently," said Hed Kovetz, CEO & Co-Founder of Silverfort, during the SC Media webinar Beyond Perimeter Defenses: Closing Identity Security Gaps in 2025.
The false sense of security behind MFA
Organizations have long relied on MFA to prevent credential theft, using push notifications, one-time passwords (OTPs), and biometric verification. Yet attackers have evolved, sidestepping MFA entirely through session hijacking, MFA fatigue, and sophisticated AI impersonations. The critical issue now is not merely whether MFA is deployed, but how effectively it's functioning.
"Identity is at the center of most breaches today," Kovetz noted. "Attackers aren’t using sophisticated exploits—they’re simply logging in. MFA was meant to stop this—but it’s failing."
What follows are the top MFA-busting techniques challenging the once tried and true identity attack defense. Also included are tips to combat these growing identity attacks.
Top MFA workarounds
Cybercriminals are turning to a range of strategies to outmaneuver MFA. One such technique is session hijacking and OAuth token theft. This is when attackers target session tokens rather than passwords. According to Kovetz, "An OAuth key bypasses MFA altogether. Once stolen, it’s like having a permanent login." For example, attackers used stolen session tokens to compromise Uber in 2022, gaining unrestricted access to internal systems.
Another type of hack is called an MFA fatigue attack. This describes attackers overwhelm users with MFA push notifications until they inadvertently approve fraudulent requests. "Attackers send hundreds of push notifications until an employee, frustrated or distracted, just taps 'approve,'" explained Adrian Sanabria, principal researcher with The Defenders Initiative. Cisco faced this exact method in its 2022 breach, resulting in unauthorized access to sensitive corporate resources.
Add to this MFA end-run attacks social engineering and AI deepfakes. AI-driven phishing and deepfake communications are becoming nearly indistinguishable from authentic interactions. "People receive messages sounding exactly like their boss, asking them to approve an MFA request," said Kovetz. One notable incident involved attackers using AI-generated deepfake audio of a CEO’s voice to trick an employee into approving fraudulent financial transactions.
Another tactic is called SIM swapping and MFA interception. Despite known vulnerabilities, many organizations still rely on SMS-based authentication. "SIM swapping isn’t new, but companies still use text-based MFA," Kovetz remarked. "That’s just handing attackers an open door." Twitter CEO Jack Dorsey’s account was famously compromised through SIM swapping in 2019.
Why MFA Alone Isn’t Enough
Experts emphasize the limitations of relying solely on MFA due to its inconsistent deployment across systems. "We talk about MFA like it’s a magic fix," Sanabria said. "It’s not. Attackers don’t need to bypass it—they just sidestep it."
Moreover, organizations often overlook exceptions like service accounts, legacy applications, and remote access tools. "All an attacker needs is one gap," Kovetz noted.
To effectively secure identities, organizations must evolve beyond traditional MFA solutions. Sanabria urged adopting a more holistic approach, stating, "We can’t just keep layering MFA on top of broken identity models."
Security enhancements should include:
A Wake-Up Call for Security Teams
The Truffle Security findings underscore the urgency of adopting a dynamic, adaptive identity security approach. Traditional authentication methods, including MFA, are proving inadequate against evolving threats. Organizations must proactively manage credential hygiene and eliminate hardcoded secrets from their systems.
"Attackers are getting better at what they do," Sanabria warned. "If we keep using outdated security models, we’ll keep losing."
To achieve robust security, organizations must embrace continuous monitoring, adaptive risk assessment, and behavior-based authentication. The critical question remains: Will security teams implement these essential changes before another major breach occurs?
(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)
