MFA Log Theft at Cisco Duo Caused by Third Party Breach, Customers at Risk of Follow-up Scams

by | Apr 19, 2024

Customers of Cisco Duo are advised to be on heightened alert for phishing and identity theft attempts, as the authentication service has revealed that a third party breach resulted in some MFA logs being stolen.

At the moment, the company reports that only about 1% (or roughly one thousand) of its customers are impacted. However, as was recently seen with competitor Okta, those numbers might well be revised upwards in the coming weeks and months as investigations progress. The MFA logs that were stolen do not contain messages or credentials, but do provide criminals with a convenient target list of devices that could be used to break into networks.

Devices listed in MFA logs extremely likely to be targeted

Okta, Cisco Duo and other authentication services have had a hard time in recent months, with their employees proving to be just as susceptible to phishing as any other type of organization. Cisco revealed that was the cause of the third party breach, but provided little detail and would not name the specific vendor that was hacked.

The good news is that credentials and messages were not involved in this theft, but the MFA logs that were stolen provide criminals with a directory of devices to specifically target as an entry point to client networks. Hackers will almost certainly target these devices with further phishing attempts, but may also look to pull off SIM swaps to gain access to the numbers.

Now that “big names” in the industry are proving to be vulnerable, hackers appear to have an increased interest in targeting authentication services as an initial breach source. While these services are very likely more security-conscious than most, this incident demonstrates that they remain vulnerable to a third party breach via service providers whose cybersecurity is not under their direct control.

Unnamed telephony service provider responsible for third party breach

Cisco Duo would only say that a telephony service provider that handles MFA messages (SMS and VoIP) for North American clients was the source of the third party breach, and that the company is making improvements to avoid future incidents.

The MFA logs that were stolen contain client phone numbers paired with their location (at least at the state and country level), name of the phone service carrier, and the dates and times that various verification message types have been sent. Attackers can certainly make use of this information to craft more realistic spearphishing attempts.

Duo was previously an independent authentication service before being acquired by Cisco’s Networking and Security division in 2018. Cisco often makes the news for security issues, but it is generally for vulnerabilities discovered in its vast array of routers rather than this department. The company’s broader corporate environment was penetrated in mid-2022 by the Yanluowang ransomware gang, however, which made it in via an employee’s personal Google account that was storing company credentials in the Chrome browser (rather than any sort of third party breach). That attack led to the theft of some internal documents that were published on the dark web, but Cisco maintains that the incident created no material business impact.

Recent Posts

How can we help?

10 + 12 =

× How can I help you?