Even though multi-factor authentication (MFA) is one of the most secure mitigations against account hijacking, it is not foolproof, and can easily be bypassed. Today, attackers can log in or compromise sessions with leaked credentials without exploiting a technical vulnerability in the MFA mechanism.
Why Leaked Credentials Can Evade MFA
MFA is meant to be secure at login, not before or after the login itself. Most applications issue cookies or tokens after a user successfully authenticates, enabling continued access without going through additional MFA prompts. When these artifacts are revealed along with usernames and passwords, attackers can bypass MFA authentication via completely authentic flows.
For attackers, bypassing MFA largely means pretending to be an actual user rather than violating the MFA algorithm. Stealer malware, large‑scale database breaches and third-party exposures provide a continuous stream of leaked credentials and session data, which can be re-used across other services.
How Credential Leaks Facilitate Evading MFA Methods
Credential leaks provide attackers the necessary raw data to test and enhance MFA evasion techniques across a large number of targets. Instead of hunting for a high-impact bug, threat actors pair stolen logins with well‑known weaknesses in how organizations create and configure MFA systems.
Common patterns include:
- Credential stuffing into poorly secured services: Attackers replay compromised username‑password pairs across VPNs, cloud apps, webmail, and other services until they discover an organization with no MFA or inconsistent enforcement.
- MFA fatigue (push bombing): By exploiting legitimate leaked credentials, attackers repeatedly deliver push‑based prompts until a user finally approves out of habit or confusion.
- Abusing recovery and support flows: Using personal and account details available from leaks, attackers can coerce help desks to reset MFA, enroll a new device or disable protections temporarily.
In all of these situations, there is no need to exploit cryptographic weakness or protocol issues. Bypassing MFA depends on user behaviour and weak procedures. Leaked credentials simply unlock the front door.
Session Hijacking: Bypassing MFA Without Using the Login Screen
A growing number of MFA bypass cases have been attributed to session hijacking, rather than password reuse. Applications depend heavily on session cookies, tokens and OAuth grants that are valid for hours or even days. Once attackers take command of them with infostealer malware or adversary‑in‑the‑middle (AiTM) phishing methods, they can often log into accounts without triggering an MFA prompt.
Typical techniques include:
- Stealer malware on endpoints: Infostealers snatch up browser cookies, refresh tokens and saved passwords and send them to command‑and‑control servers, where the files are bundled and sold as stealer logs. From there, buyers can import these artifacts to generate user sessions.
- AiTM phishing kits: Attackers impersonate legitimate login pages, hijack credentials and the resultant authentication cookie, then replay that cookie immediately to claim to be a victim with an authenticated session.
- Exposed backup codes and tokens: Improperly stored backup codes or exported tokens can create a bypass path to MFA protections if they appear within leaked data sets or misconfigured repositories.
As these techniques draw on valid cookies and tokens, they often can not be seen by controls that are only concerned with login sessions and MFA failures. From the application’s perspective, it appears that the session resembles a standard continuation of a previous logged in attempt.
Webz.io’s coverage of stealer log markets allows organizations to quickly recognize when their domains, email addresses or application tokens are visible in these data sets. This allows security teams to quickly revoke sessions and reset credentials.
Configuration gaps that turn leaked credentials into initial access
Even where MFA is technically available, configuration gaps often allow leaked credentials to be used directly in certain environments without any authentication bypass exploit. For example:
- Legacy or “exception” systems with no MFA: Older portals, test environments, or back‑office tools may still accept password‑only logins, even when core user accounts are protected by MFA elsewhere.
- Partial coverage across the stack: MFA might be enforced for VPN access but not for downstream SaaS tenants, cloud consoles, or command‑line interfaces derived from the same identity.
- Weak server‑side verification: In some implementations, client‑side checks or response parameters can be tampered with so that applications mistakenly treat MFA as completed.
In these situations, credential leaks give initial access brokers and other threat actors everything they need to establish a foothold without searching for a specific 2-factor authentication bypass vulnerability. Once inside, they can pivot laterally, escalate privileges, or resell access.
How to reduce the impact of leaked credentials on MFA
Because credential leaks are now constant, the focus for defenders should be on making those leaks less useful to attackers and detecting abuse early. Some practical steps include:
- Deploying phishing‑resistant MFA for high‑risk accounts: Hardware security keys and modern, WebAuthn‑based methods are more resistant to AiTM phishing and many MFA evasion techniques.
- Binding sessions to context: Where possible, bind tokens and cookies to device, network, and risk signals so that stolen artifacts cannot be replayed from arbitrary infrastructure.
- Closing password‑only paths: Audit applications, admin tools, and legacy systems to eliminate cases where leaked credentials alone are enough for access.
- Hardening recovery and support workflows: Treat help desks and recovery paths as part of your authentication surface. Enforce strong verification processes so attackers cannot easily social‑engineer a 2-factor authentication bypass.
- Continuously monitoring for leaked data: Use dark web monitoring to detect when your credentials, tokens, or domains appear in stealer logs and data leak sites, and feed those signals into automated revocation and response workflows.
Lunar’s dark web and data leak monitoring can help security teams detect leaked credentials, stealer logs, and access offers involving their organization across forums, marketplaces, and data leak sites, enabling faster containment and more informed MFA policies.
