Microsoft MFA Mishap: How a 60-Minute Hack Exposed 400 Million Accounts!
Oasis Security researchers exposed a Microsoft Azure MFA vulnerability, allowing attackers ample time to guess codes. The flaw, dubbed “AuthQuake,” enabled rapid code attempts with no alerts, putting millions at risk. Microsoft has since patched it, but remember, even the best systems aren’t entirely attacker-proof!
Hot Take:
Looks like Microsoft’s Azure had a bit of an “oopsie-daisy” moment with their MFA system. While the rest of us were busy trying to remember our own passwords, hackers were laughing all the way to Outlook, Teams, and OneDrive! Kudos to Oasis Security for exposing the AuthQuake flaw before it became the next blockbuster disaster movie. But seriously, who knew guessing a 6-digit code could be so… dare I say… ‘authentic’?
Key Points:
- Researchers at Oasis Security discovered a critical vulnerability in Microsoft Azure’s MFA system, dubbed “AuthQuake”.
- The flaw allowed unauthorized access via a lack of rate limits for MFA attempts, affecting over 400 million Microsoft 365 users.
- Attackers had a 3% success rate per extended MFA code attempt, significantly increasing the chance of guessing the code correctly.
- Microsoft addressed the issue by implementing a stricter rate limit by October 9, 2023.
- Oasis recommended best practices including using authenticator apps, strong password hygiene, and implementing alert systems for failed MFA attempts.
Already a member? Log in here