The Hawaiian Airlines Data Breach and the Legacy MFA Failure

When Hawaiian Airlines confirmed a recent cyberattack that disrupted its internal systems, it wasn’t just another headline—it was another red flag.

According to early reports, the threat group Scattered Spider is likely behind the breach. If that name sounds familiar, it should. The group has been linked to multiple high-profile attacks—including the recent Aflac breach—by using the same playbook: real-time phishing through spoofed websites and MFA fatigue tactics to bypass weak authentication.

These aren’t complex, nation-state-level operations. They’re simple relay attacks—and they’re working.

Why Are These Attacks Still Happening?

Despite growing awareness, many companies are still relying on outdated MFA: push approvals, TOTP codes, authenticator apps. These methods were once seen as solid security upgrades, but attackers have adapted. They know how to trick users into entering codes or tapping “Approve” on malicious login requests. And because these MFA systems can’t verify where the login is really coming from, they let attackers right in.

“It’s not that these attacks are sophisticated,” said Kevin Surace, Chair of Token. “They’re successful because companies continue trusting MFA tools that weren’t designed for this threat.”

And so, Hawaiian Airlines joins a growing list—insurers, retailers, airlines—all breached through MFA that’s no match for modern phishing.

Understanding the Breach Playbook

Here’s how it typically goes:

1. An employee lands on a spoofed login page and enters their credentials.
2. The attacker instantly relays that information to the real site, including the MFA code.
3. Access is granted—because the system authenticates the user, not the origin.

This kind of flaw isn’t a bug—it’s a limitation in how traditional MFA works.

Why Token Blocks These Attacks Cold

Token’s products—Token Ring and Token BioStick—aren’t just another step in the MFA evolution. They’re a leap forward. Here’s what makes them different:

• Biometric authentication: You can’t just steal a fingerprint.
• Proximity-based login: The device must be physically near the machine being accessed.
• Cryptographic origin-checking: Even a perfect fake site can’t pass the check.

In a scenario like the Hawaiian Airlines breach, the fake website wouldn’t even engage the Token device. No proximity, no biometric verification, no login. It’s that simple.

Unlike passkeys, which can sync to the cloud and be compromised through account takeover, Token stores credentials in tamper-proof hardware—bound to a single domain and device, and unlocked only by a live fingerprint scan.

Real-World Protection, Not Just a Theory

Just days ago, after the Aflac breach, we warned the industry: phishing-proof MFA isn’t a luxury—it’s a necessity. Now, we’re seeing the same threat actors use the same techniques with the same results.

“How many breaches do we need before we replace security theater with real security?” Surace asked. “Token isn’t just another MFA solution. It’s phishing-proof, fool-proof, and deployable in a single day.”

Ready to move to phishing-proof MFA? Request a Demo.