Uber hack is an interesting case to analyze. Let's take a look at this attack steps: - Contractor password obtained through social engineering. However, that password is useless without the multi factor authentication code. Hence, the second step. - Brute force the multi factor authentication code: simply keep guessing, since the code is 6 digits there are 1 million guesses. - Apparently there was a lack of lock-out policies, hence, the attacker could keep guessing the code without anything stopping them! - BOOM! the attacker gained access. This shows that 2FA is not MAGIC! it's a security measure that must be configured properly with the rest of security policies.