Your Accounts Can Still Get Hacked, Even Using Multi-Factor Authentication

When it comes to digital safety, setting up an extra layer of security for accounts is heavily recommended. The idea behind this approach, known as multi-factor authentication (MFA), is to ensure that a bad actor will have to go through a second level of verification to get into an account, even if they've managed to obtain your password. This secondary layer of authentication could be an SMS with a one-time password, a security email, a local passkey, a biometric scan, or even a physical security key. Microsoft research suggests that MFA can reduce the chances of an account compromise by 99.22% in general, and 98.56% if the login credentials have been obtained.

However, it seems MFA is not a foolproof solution, with several instances where hackers have managed to overcome it. For example, in December 2025, security experts over at Infoblox were notified that bad actors were targeting academic institutions. Specifically, the hackers were attacking an institution's student single sign-on portal by using an open-source vector called Evilginx. 

Evilginx is a phishing tool that essentially takes a man-in-the-middle (MITM) route, where the attacker can intercept the communication between a user's device and the service they are trying to access. It's an eavesdropping trick that lets hackers steal everything from login credentials to financial information, and these hackers apparently used it against 18 institutions in 2025 alone. The infamous Equifax hack from 2017 was an MITM attack that exposed data of over 150 million customers, and even tech giants such as Tesla have been targeted using the same tactic. 

In 2024, experts at Abnormal.ai highlighted how threat actors were using Evilginx to target widely used services such as Outlook and Gmail. One of the most dangerous elements of Evilginx is that it is open-source, making it widely available and open to modification by hackers. One of the target flows involves spoofing a banking site, which allows the hackers to capture session cookies. Once obtained, they can then use the login credentials to impersonate the victim on the bank's actual website.

But Evilginx isn't the only threat to multi-factor authentication. There are less sophisticated ways to break it. Social engineering (also known as phishing), where a bad actor spoofs a legitimate service to trick users into sharing sensitive login data, is fairly common these days. SIM swapping can also be a potent way of breaking MFA, especially if your multi-factor code arrives via SMS or phone call. There are also risks that hackers can install a skimmer device to steal fingerprints from machines that require biometric unlock to process payments or verify identities.

So, how can one stay safe in an age where MFA can be bypassed? Well, the experts over at Experian recommend using a password manager app, or a FIDO-certified physical key (such as Google Titan or those offered by Yubico). According to the US government's Cybersecurity & Infrastructure Security Agency, the "only widely available phishing-resistant authentication is FIDO/WebAuthn." Thus, if a FIDO-based physical security key is out of the question, you'll have to go with a WebAuthn solution, such as a passkey. Thankfully, companies such as Google, Microsoft, and Apple have all implemented passkeys, making it easy to adopt.