When it comes to digital safety, setting up an extra layer of security for accounts is heavily recommended. The idea behind this approach, known as multi-factor authentication (MFA), is to ensure that a bad actor will have to go through a second level of verification to get into an account, even if they've managed to obtain your password. This secondary layer of authentication could be an SMS with a one-time password, a security email, a local passkey, a biometric scan, or even a physical security key. Microsoft research suggests that MFA can reduce the chances of an account compromise by 99.22% in general, and 98.56% if the login credentials have been obtained.

However, it seems MFA is not a foolproof solution, with several instances where hackers have managed to overcome it. For example, in December 2025, security experts over at Infoblox were notified that bad actors were targeting academic institutions. Specifically, the hackers were attacking an institution's student single sign-on portal by using an open-source vector called Evilginx.

Evilginx is a phishing tool that essentially takes a man-in-the-middle (MITM) route, where the attacker can intercept the communication between a user's device and the service they are trying to access. It's an eavesdropping trick that lets hackers steal everything from login credentials to financial information, and these hackers apparently used it against 18 institutions in 2025 alone. The infamous Equifax hack from 2017 was an MITM attack that exposed data of over 150 million customers, and even tech giants such as Tesla have been targeted using the same tactic.