Token Blog: Phishing and Ransomware Articles

Aflac Was Breached Again. This Is What Happens When Legacy MFA Turns You Into a Honeypot.

Written by Kevin Surace | Jul 7, 2026 2:38:44 PM

Last year, Aflac was swept into a wave of attacks that put the insurance industry on notice. Last week, Aflac disclosed another breach, this time involving its Japan subsidiary. The reported exposure includes policy information, personal data, and bank account information affecting millions of customers.

We do not yet know the precise entry point in this new incident. It would be irresponsible to claim otherwise. But we do know the larger lesson.

Once attackers know your organization relies on passwords, authenticator apps, SMS codes, push approvals, help desk resets, or any other form of legacy MFA, you become a honeypot. Not because attackers have to use the exact same method every time. Because they know there is still a human door to knock on.

They know they can send a convincing phishing email. They know they can build a perfect copy of a login page in minutes. They know they can call an overwhelmed help desk employee. They know they can bombard a user with approval prompts. They know they can intercept, relay, or steal a one time code.

And they know that somewhere inside a large organization, eventually, someone will make one understandable mistake. That is the weakness of legacy MFA. It does not truly prove identity. It asks a person to make a security decision in the middle of an attack.

The First Breach Is Not Always the End of the Story

A breach is supposed to create urgency. Organizations bring in incident response teams, contain the damage, rotate passwords, reset sessions, issue new policies, and retrain employees. All important steps. But if the organization leaves the same basic authentication model in place, the attacker sees something very different.

They see an organization that has already demonstrated its front door can be manipulated. They see a known operating environment. A known identity provider. Known help desk procedures. Known employee workflows. Known pressure points. Known recovery paths. They do not have to break through the wall. They just have to keep trying doors. In a world where phishing kits, deepfake voices, spoofed sites, and AI written social engineering are cheap and fast, they can try thousands of doors at once.

That is why a company using legacy MFA becomes a honeypot after a breach. The attacker does not need to be certain that the original technique will work again. They only need to know that the company still relies on systems built around shared secrets, human judgment, and recoverable credentials.

Authenticator Apps Are Not the Answer People Think They Are

For years, security teams were told to move from passwords to MFA. Then they were told to move from SMS to authenticator apps. That was an improvement over passwords alone. But it was never enough. A six digit code can be phished. A push notification can be approved by mistake. A real time phishing page can relay an authentication flow directly to the legitimate site. A help desk can be manipulated into resetting access. A user who believes they are protecting the company can unknowingly authenticate the attacker. The fundamental flaw is simple. Legacy MFA asks the user to determine whether a request is legitimate at the exact moment an attacker is trying to deceive them.

That is not a security architecture. That is a gamble. And attackers have become very good at winning it.

The Goal Should Be To Make the Attacker Irrelevant

The answer is not another training video telling employees to look more closely at URLs. Training matters. But no company can train every employee to defeat every AI generated phishing site, deepfake voice call, fake password reset request, or pressure campaign. The answer is to eliminate the ability for a user to accidentally authenticate an attacker. That requires phishing resistant authentication built around three nonnegotiable principles.

First, the credential must be cryptographically bound to the real domain. A fake website should not be able to ask for authentication and receive anything useful.

Second, access must require a live biometric match. Not a code. Not a prompt. Not a phone call. Not a password reset.

Third, the authenticator should require physical proximity to the device being used. A criminal halfway around the world should not be able to relay or remotely trigger the authentication process.

This is what biometric FIDO2 hardware does properly.

With Token technology, there is no code to hand over. No push prompt to approve. No shared secret to relay. No cloud based credential to retrieve. No help desk reset that can substitute for the real user.

The device will authenticate only when the real user provides a live fingerprint, from the correct domain, near the actual device requesting access. A fake site fails. A phishing relay fails. An MFA fatigue campaign fails. A convincing phone call fails. A stolen password fails. That is the difference between adding another lock and replacing the front door.

The Uncomfortable Truth

Aflac is not alone. Insurance companies, airlines, retailers, hospitality companies, healthcare organizations, and major enterprises across every industry are being targeted through identity. The attackers are not choosing these methods because they are sophisticated. They are choosing them because they work. And when a company is breached while relying on legacy MFA, it sends a message to every criminal group watching. This organization is worth another try.

That is why I call legacy MFA a honeypot. It may look like protection from the inside. But from the outside, it signals that there are still codes to steal, prompts to manipulate, passwords to reset, and people to pressure.

The world now knows that MFA and authenticator apps can be compromised in real time. The question is whether organizations will keep defending the old model, or finally deploy authentication that makes the entire attack class fail before it begins.

The strongest security outcome is not detecting the attacker faster after they enter. It is making sure they never get in at all.