
The Los Angeles Department of Mental Health has fallen victim to a multi-factor authentication attack, otherwise known as push notification spam.
The City of Gardena Police Department (GPD) was initially hit by a cyberattack in which threat actors accessed an employee’s GPD Microsoft Office 365 account via a multi-factor authentication attack or push notification attack on January 22nd, 2024.
The email exchanges between the GPD and the Department of Mental Health (DMH) allowed the threat actor(s) to contact a DMH employee via email and access that employee’s Microsoft Office 365 account.
Malicious actors employ push notification attacks (push fatigue attacks or MFA-prompt bombing) to bypass multi-factor authentication and breach accounts. The attackers often already possess valid usernames and passwords as they spam the victim with notifications to authenticate until the target tires and finally accepts it.
The personal information involved includes:
- Names
- Dates of birth
- Social Security numbers
- Addresses
- Telephone numbers
- Medical record numbers
Despite the vast amount of personal information involved, the DMH claims that there’s no evidence the information has been exploited.
Once the DMH became aware of the attack, the organization claimed to disable the affected accounts promptly while resetting “the Microsoft Office 365 and multi-factor authentication credentials,” the breach notification reads.
The investigation into the breach concluded on March 19th, 2024, once forensic specialists and law enforcement had been informed.
The DMH urges impacted individuals “to review your financial and account statements and immediately report all suspicious activity to the institution that issued the record.”
Your email address will not be published. Required fields are markedmarked