MFA‑Fatigue Scam Almost Hijacked WordPress Co‑Founder’s Apple ID – Executive Credential‑Compromise Alert
What Happened – A sophisticated social‑engineering campaign targeted WordPress co‑founder Matt Mullenweg with an MFA‑fatigue attack, spoofed Apple support calls, and a convincing phishing page that nearly allowed the attackers to take control of his Apple ID. The attempt was documented in episode 459 of the Smashing Security podcast.
Why It Matters for TPRM –
- Executive accounts are high‑value targets; a breach can expose corporate‑wide cloud resources.
- MFA fatigue attacks bypass multi‑factor defenses that many third‑party risk programs rely on.
- Successful compromise of a vendor’s senior leader can cascade to partner ecosystems and supply‑chain data.
Who Is Affected – Technology SaaS firms, cloud‑service providers, and any organization whose leadership uses personal Apple IDs for business access.
Recommended Actions –
- Review and harden MFA policies for privileged accounts (e.g., limit push notifications, enforce time‑based limits).
- Conduct phishing‑simulation training focused on MFA‑fatigue scenarios for executives.
- Verify that Apple ID recovery processes are documented and that support calls are authenticated through official channels.
Technical Notes – Attack vector leveraged phishing pages, spoofed Apple support calls, and repeated MFA push requests to wear down the user’s resistance. No CVEs were involved; the threat relied on human factors rather than software vulnerabilities. Data at risk would have included personal Apple credentials, access to iCloud, and any linked corporate services. Source: Smashing Security Podcast #459