InfoSec Tips: Take Extra Care on Mobile Notification to Repel MFA Request Scams

(Hong Kong, 6 October 2022) Recently, Uber, one of the world’s largest online ride-hailing service providers, had been the victim of a security breach triggered by social engineering techniques.

The hacker purchased an Uber external contractor’s Uber corporate password on dark web that allowed the hacker to gain access to Uber’s systems. Since the system account was protected with multi-factor authentication (MFA), it was believed that the hacker had used an MFA Fatigue attack and convinced the contractor to accept the MFA request as well. The hacker had provided proofs of compromising the internal systems, including on-premises and cloud services.

To prevent similar social engineering attacks, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council advises the public and organisations to:

Change the accounts’ passwords periodically
Never accept any suspicious MFA push authentication notification
Never provide passwords or MFA verification code of personal accounts to others
Inform IT support if noticing suspicious account login records

For more details, please refer to:

For information security related incidents, for example, ransomware, phishing, denial of service attack, etc., please report to HKCERT through its online Incident Report Form at For other enquiries, please contact HKCERT by email: or call its 24-hour hotline: 8105 6060.

Comments are closed.