Legacy MFA Hall of Shame

It got phished or bypassed.
Again.

A running record of every breach where SMS codes, OTP apps, and push notifications got bypassed, stolen, or simply ignored. No spin. Just receipts.

The Breach Log

Workday Breach: Scattered Spider Impersonated Staff to Steal Account Access

Attackers impersonated IT and HR staff over phone and text to trick Workday employees into surrendering account access, reaching a third-party CRM and customer data.

Tchap Breach: Social Engineering Gave Attackers 73K Accounts Without Cracking a Single Login

Attackers used social engineering to compromise a Tchap user account, exposing France's government messaging platform to potential mass data theft including 650K messages and 13.5GB of files.

CNA Financial Paid $40M After Phishing Malware Gave Attackers Free Run

Phishers tricked a CNA employee into running a fake browser update that installed malware, giving attackers network access that led straight to data theft and ransomware.

Oldsmar Water Hack: One Weak TeamViewer Password Controlled the Plant

An attacker used a weak shared password on exposed TeamViewer to reach the SCADA operator workstation and tried to raise sodium hydroxide levels before staff noticed.

SolarWinds: Weak Credentials Opened the Door to Golden SAML Forgery

APT29 reached SolarWinds through password spraying, inserted SUNBURST into Orion updates, then stole SAML signing keys to impersonate users across thousands of victim organizations.