When a teenager allegedly walked into Rockstar Games' internal Slack workspace in September 2022 and walked out with roughly ninety video clips of an unfinished Grand Theft Auto VI, the headlines focused on the leaked footage. Underneath the spectacle, however, sat a much more important story for anyone who works in IT security: the intrusion is widely believed to have begun with a technique that, only twelve months earlier, most boardrooms had never heard of. Multi-factor-authentication fatigue, sometimes called "MFA bombing" or "push-notification spamming", had quietly become the defining social-engineering attack of 2022, and Rockstar was the latest in a chain of high-profile victims that also included Uber, Cisco and Microsoft (BleepingComputer, 2022a; Wikipedia, 2024).
This article unpacks what MFA fatigue actually is, why traditional two-factor authentication failed to stop it, and how the cybersecurity community โ pushed by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Safety Review Board (CSRB) โ responded with hardware tokens, number-matching prompts and stricter enrolment policies. It is written for a general audience: no exploitation recipe, no "how to" content, just the publicly described pattern and the defensive evolution that followed.
Multi-factor authentication, in its commonest modern form, works like this. After typing a username and password, the user receives a push notification on their phone asking "Was this you? Approve or Deny." Tap "Approve" and the login goes through. Tap "Deny" and it does not. The notification is meant to be a backstop: even if an attacker has stolen the password, they cannot complete the login without the legitimate owner's tap.
MFA fatigue subverts that backstop not with code but with persistence. An attacker who already holds a valid username-and-password pair โ usually purchased on a stealer-log marketplace, harvested by an infostealer, or extracted via phishing โ triggers the login flow over and over again. Every attempt fires another push notification at the victim's phone. Five, ten, fifty notifications can arrive in a single evening. Eventually, in the words of Microsoft's own incident report, the user "becomes fatigued" and approves one push, either to make the noise stop, because they assume a buggy app is misbehaving, or because the attacker has supplemented the spam with a phone call or message claiming to be from IT support (Microsoft, 2022; BleepingComputer, 2022b).
The technique is sometimes catalogued under the broader umbrella of "prompt bombing" and is recognised in MITRE ATT&CK as a sub-technique of Multi-Factor Authentication Request Generation (T1621). Its appeal to attackers is that it requires no zero-days, no malware deployment and no cryptographic breakthroughs. It exploits human attention, which is a resource that no patch cycle can reinforce.
The year 2022 saw the technique move from theoretical concern to the headline tool of a loose collective known as Lapsus$, along with similarly motivated affiliates. A short, public timeline illustrates the pattern.
Microsoft (March 2022). Lapsus$ obtained source-code repositories belonging to Microsoft's Bing, Cortana and other internal projects. Microsoft's threat-intelligence team publicly described the actor's playbook, which included "intrusive phone calls to a targeted user's helpdesk", SIM swapping, and "session token replay and using stolen passwords to trigger MFA prompts that the user eventually accepts" (Microsoft, 2022).
Cisco (May 2022). Cisco's Talos team disclosed that an employee's personal Google account had been compromised, which exposed corporate VPN credentials saved in the browser. The attacker then "conducted a series of sophisticated voice phishing attacks" while bombarding the employee with MFA push notifications. The employee eventually accepted one, granting the attacker initial foothold (Cisco Talos, 2022).
Uber (September 2022). Roughly a week before the Rockstar leak, an eighteen-year-old affiliated with Lapsus$ accessed Uber's internal systems by purchasing a contractor's credentials on the dark web, spamming the contractor with MFA pushes, and then contacting them on WhatsApp claiming to be from Uber IT and instructing them to accept the prompt to make the notifications stop. The contractor complied. Uber's subsequent disclosure described this exact sequence (Uber, 2022; Ars Technica, 2022a).
Rockstar Games (September 2022). Days later, the same actor allegedly used a comparable approach against an employee of Rockstar's parent company Take-Two Interactive, obtaining access to internal Slack and Confluence. The compromise produced one of the largest pre-release leaks in video-game history. Court documents during the attacker's subsequent UK trial referenced social-engineering of an employee, and journalistic reporting placed the technique within the same MFA-fatigue family used against Uber (Ars Technica, 2022b; BleepingComputer, 2022a).
By the time Rockstar was hit, the playbook had been documented, demonstrated and described in public for at least six months. That is what made the incident a turning point: it was no longer plausible to treat MFA fatigue as a novel risk.
Push-based MFA was a genuine improvement on SMS one-time codes. It is resistant to SIM swapping. It is bound to a registered device. It is hard to phish through a fake login page because the second factor never traverses the user's keyboard. So why did it fail so visibly in 2022?
Three structural weaknesses, all of them human or design-level rather than cryptographic, explain the pattern.
First, the user interface of a push prompt is binary and ambiguous. "Approve" or "Deny" gives the user almost no context. There is no destination IP, no geographic hint, no application name in many implementations, no rate limiter the user can see. A tired employee at 11pm cannot easily distinguish a legitimate retry from an attack.
Second, push prompts can usually be triggered unlimited times. Until 2022, most identity providers had no built-in cap on how many pushes a single credential pair could generate per hour. Attackers exploited this by simply running the login flow on a loop.
Third, the second factor in a push prompt does not verify anything about the attacker. The cryptographic challenge being signed by the phone proves only that the registered device is present; it does not prove that the person typing the password is the same person tapping "Approve". That gap is what social-engineering exploits.
The deeper observation, made repeatedly in post-incident analyses, is that any authentication factor whose security depends on a human making a correct judgment under uncertainty will eventually fail at scale (CISA, 2022; CSRB, 2023).
The response from United States federal cybersecurity authorities was unusually fast and unusually specific.
In October 2022, CISA issued a public fact sheet titled Implementing Phishing-Resistant MFA, which explicitly named "push-bombing" as an attack class and recommended that organisations move away from one-tap push approval as their primary second factor. The agency's guidance distinguished between "phishing-resistant" MFA (essentially FIDO2 hardware authenticators and PKI-based smart cards) and "non-phishing-resistant" MFA (SMS, voice, one-time codes, and basic push), and instructed federal civilian agencies to adopt the former wherever feasible (CISA, 2022).
In August 2023, the Department of Homeland Security's Cyber Safety Review Board (CSRB) published its report on the activities of Lapsus$ and related actors. The report is publicly available on cisa.gov and runs to roughly fifty pages. It identified MFA bypass โ particularly through fatigue, SIM swapping and helpdesk social-engineering โ as the most consequential common factor in the group's intrusions, and made formal recommendations to identity providers, telecommunications carriers and enterprises (CSRB, 2023).
Industry mirrored the federal posture. Microsoft enabled number-matching as the default for Authenticator push prompts in February 2023. Okta, Duo and Ping rolled out comparable changes. Cloudflare published a widely circulated post-mortem of an earlier attempted intrusion in which the difference between FIDO2 hardware keys (which blocked the attack) and one-time codes (which other targeted companies fell to) was made explicit (Cloudflare, 2022).
Two technical mitigations dominated the post-2022 response, and they sit at different points on the cost/benefit curve.
Number matching modifies the push-approval workflow so that the login screen displays a two- or three-digit number, and the user must type that same number into their phone app in order to approve. This single change neutralises the simplest form of MFA fatigue, because an attacker spamming pushes cannot tell the victim which number to enter, and a confused user has nothing to tap blindly. It is low-cost, retrofittable to existing authenticator apps, and was adopted as a default by Microsoft, Okta and others through 2023. Independent measurement found significant reductions in successful prompt-bombing attempts once it was enabled (BleepingComputer, 2023).
FIDO2 hardware keys go further. A FIDO2 authenticator (YubiKey, Google Titan, Feitian, or a platform authenticator such as Windows Hello or a Mac's Secure Enclave) uses public-key cryptography bound to the origin of the website the user is logging into. Because the cryptographic challenge incorporates the requesting origin, a phishing site cannot relay it, and there is no push prompt for a tired user to accept by mistake. Cloudflare, which had migrated its entire workforce to hardware keys before the 2022 wave, publicly credited that decision with stopping an intrusion attempt by the same threat cluster that hit Twilio (Cloudflare, 2022).
Adoption of FIDO2 across the wider enterprise market has been steady but uneven. The cost is no longer dominated by the keys themselves, which are inexpensive in bulk, but by the operational overhead of enrolment, lost-key recovery and supporting users who travel between regions. Helpdesk processes โ historically the weak link, since attackers have repeatedly persuaded helpdesks to enrol new MFA devices on their behalf โ have themselves become a focus of hardening (CSRB, 2023).
Public information on internal security changes at specific game studios is, naturally, limited. Studios do not generally publish their MFA roadmap. What is publicly visible, however, suggests that the 2022 incidents accelerated a shift that was already underway.
First, several major publishers updated their public security and trust pages during 2023 and 2024 to reference phishing-resistant MFA, hardware tokens or "FIDO2-compliant" authentication in their employee-access posture. Some of these statements appear in their SOC 2 summaries or in supplier-questionnaire responses circulated through industry bodies.
Second, the cyber-insurance market reacted. Reporting through 2023 indicated that several insurers writing policies for media and entertainment companies began to require hardware-token MFA for privileged accounts as a condition of coverage or premium discount. This is a structural lever that tends to drive adoption faster than any voluntary best practice.
Third, internal collaboration tooling โ Slack, Confluence, Jira, Perforce โ became a more visible audit target. The Rockstar incident underlined that source-code repositories are not the only sensitive surface; chat archives and ticket systems can contain almost as much narrative information as code itself. Reporting after the incident highlighted moves at multiple studios to tighten Slack workspace SSO enforcement and to segment access to in-development build systems behind separate authentication zones (Ars Technica, 2022b; BleepingComputer, 2022a).
Fourth, helpdesk procedures across large studios reportedly underwent quiet but substantial rewrites. The Lapsus$ playbook had repeatedly leaned on persuading internal IT staff to enrol attacker-controlled devices, and the CSRB report singled out helpdesk social-engineering as a category that deserved its own controls. Several industry conference talks through 2023 and 2024 referred to "callback verification", "manager-of-record approval" and similar process-based mitigations, though without naming specific employers.
The cumulative effect is that an attacker attempting in 2025 the exact sequence that worked in September 2022 would face several more obstacles: number-matching on the prompt itself, possible hardware-key requirements for privileged systems, stricter helpdesk verification before any MFA-device re-enrolment, and tighter session-token lifetimes on internal applications. None of this is a silver bullet โ social engineering will continue to find new edges โ but the specific attack class that defined 2022 is meaningfully harder to execute against a well-run organisation today.
The Rockstar breach is remembered for what leaked. Its more durable contribution to cybersecurity history is what it confirmed: that an attack technique requiring no malware, no exploit and no insider could embarrass some of the largest technology companies on earth four times in a single year. MFA fatigue is the rare attack class to be answered with both a clear technical fix (number matching, FIDO2) and a clear governance response (CISA guidance, the CSRB report). For the games industry, watching a peer of Rockstar's profile fall to a publicly known technique appears to have been the prompt โ pun unavoidable โ that turned slow MFA modernisation into urgent MFA modernisation.
This document distinguishes carefully between confirmed and inferred material. The 2022 attack timeline against Microsoft, Cisco and Uber is documented by the affected companies' own incident disclosures and is high confidence. The MFA-fatigue attribution for the Rockstar incident is consistent with public reporting and with court material from the attacker's UK trial, and is medium-to-high confidence, though Rockstar and Take-Two have not published a full technical post-mortem. The description of CISA, CSRB and identity-provider responses is drawn from public agency publications and vendor blog posts and is high confidence. Claims about games-industry-specific internal changes are based on public trust pages, conference talks and journalistic reporting; these are directionally well-supported but the specifics at any individual studio are lower confidence by their nature, since internal security posture is rarely disclosed in detail.
Ars Technica, 2022a. Uber says Lapsus$-linked hacker responsible for breach. Ars Technica. Available at: https://arstechnica.com/ [Accessed via public reporting].
Ars Technica, 2022b. GTA 6 source code and videos leaked after Rockstar Games hack. Ars Technica. Available at: https://arstechnica.com/ [Accessed via public reporting].
BleepingComputer, 2022a. Rockstar Games confirms hack after GTA 6 footage leaks online. BleepingComputer. Available at: https://www.bleepingcomputer.com/ [Accessed via public reporting].
BleepingComputer, 2022b. MFA fatigue: Hackers' new favorite tactic in high-profile breaches. BleepingComputer. Available at: https://www.bleepingcomputer.com/ [Accessed via public reporting].
BleepingComputer, 2023. Microsoft enables number matching by default for Authenticator push prompts. BleepingComputer. Available at: https://www.bleepingcomputer.com/ [Accessed via public reporting].
CISA, 2022. Implementing Phishing-Resistant MFA. Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/ [Accessed via public agency publication].
Cisco Talos, 2022. Cisco Talos Incident Response โ May 2022 intrusion disclosure. Cisco. Available at: https://blog.talosintelligence.com/ [Accessed via public vendor publication].
Cloudflare, 2022. The mechanics of a sophisticated phishing scam and how we stopped it. Cloudflare Blog. Available at: https://blog.cloudflare.com/ [Accessed via public vendor publication].
CSRB, 2023. Review of the Attacks Associated with Lapsus$ and Related Threat Groups. Cyber Safety Review Board, U.S. Department of Homeland Security. Available at: https://www.cisa.gov/ [Accessed via public agency publication].
Microsoft, 2022. DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Microsoft Security Blog. Available at: https://www.microsoft.com/security/blog/ [Accessed via public vendor publication].
Uber, 2022. Security update. Uber Newsroom. Available at: https://www.uber.com/newsroom/ [Accessed via public corporate disclosure].
Wikipedia, 2024. Multi-factor authentication fatigue attack. Wikipedia. Available at: https://en.wikipedia.org/wiki/Multi-factor_authentication_fatigue_attack [Accessed via public reference].