How Hackers Exploit Vulnerabilities in MFA-Protected Accounts: A Real-Life Heygen Account Takeover Story
Despite using MFA and strong passwords, Keepnet’s Heygen account was compromised. This blog reveals how attackers exploited platform flaws and what your team can learn to avoid similar breaches.
2025-03-28
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Heygen is an AI-powered platform that creates interactive video and voice content for personalized learning. At Keepnet, we use Heygen to deliver engaging security awareness training that drives real behavior change and strengthens cybersecurity culture.
Multi-Factor Authentication (MFA) is a trusted method for protecting online accounts. However, it can't prevent breaches if attackers exploit other overlooked security gaps.
In this blog, we’ll share a real-life account takeover incident involving Heygen. Despite having MFA enabled, attackers exploited hidden weaknesses to gain access. We'll break down how it happened, what we learned, and why we still believe in the platform’s value for security training.
The Attack: How Hackers Took Over Our MFA-Protected Heygen Account
At Keepnet, we enabled Multi-Factor Authentication (MFA) on our Heygen account and used a strong, unique password that was never shared. We believed these steps would be enough to prevent unauthorized access. But over several weeks, our account was compromised multiple times. Here's how the attackers got in.
MFA Didn’t Terminate Active Sessions
When we changed our password and enabled MFA, we assumed this would immediately secure our account. Unfortunately, Heygen’s system did not invalidate active sessions, allowing the attackers to continue using our account, even after password and MFA changes were made.
Email Address Change Without Verification
The second vulnerability allowed the hacker to change our account’s email address without any verification process. Normally, such a sensitive change would require additional security steps like a one-time password (OTP) or email confirmation. However, in this case, Heygen didn’t prompt any of these safeguards.
The hacker changed the account’s email from support@keepnetlabs.com to heygenteamn@boxfi.uk, effectively locking us out. We were left unable to regain access without further support from the Heygen team.
Over 3 Weeks of Escalations with No Resolution
We spent over three weeks engaging with Heygen’s support team, providing detailed evidence and repeatedly explaining the issue. Yet, the problem remained unresolved due to several challenges:
- Lack of Technical Understanding – The support team struggled to fully understand the severity of the issue and the vulnerabilities that were being exploited.
- Scripted Responses and Limited Troubleshooting – Many of the responses were generic and didn’t address the root cause of the problem, such as the email address change and the persistence of active sessions.
- Slow Escalation – Although we asked for the issue to be escalated, the process moved slowly, further delaying a solution.
- Failure to Identify Core Vulnerabilities – Instead of looking into how their system allowed the breach, they got stuck on irrelevant points—like whether the new email address looked suspicious.
Escalating the Issue: Messaging Heygen’s CEO and CTO
To speed up resolution, we contacted Heygen’s CEO and CTO directly on LinkedIn, hoping for a quick response. Unfortunately, we didn’t receive any reply, which added to our growing frustration.
Why It Happened: Security Gaps in Heygen’s System
This breach wasn’t due to weak passwords or phishing—we had strong protections in place. The real problem was two key vulnerabilities in Heygen’s platform:
- Active sessions weren’t terminated after password changes or enabling MFA, so attackers stayed logged in.
- Email changes didn’t require verification, allowing unauthorized users to take over the account.
These flaws allowed the attacker to bypass MFA completely and gain control of our account.
The Consequences: Losing Trust and Time
This breach led to significant operational disruptions, as we were unable to access our account for several weeks. The time spent addressing this issue impacted our ability to use Heygen effectively, and we also faced financial losses due to the ongoing subscription without the expected service. This was particularly frustrating as we had high hopes for the platform’s potential.
What Needs to Be Done: Lessons Learned and Recommendations
Our experience highlights the need for robust and multi-layered security measures, even when MFA is in place. We believe Heygen has great potential and can offer valuable tools for security awareness training, but certain improvements must be made to protect its customers against vulnerabilities:
- Active sessions should be terminated immediately when the password or MFA settings are updated.
- Email address changes should trigger a multi-step verification process, such as an OTP or email confirmation.
These measures will help prevent unauthorized account takeovers and provide a more secure user experience.
If you're looking to strengthen your own organization’s security posture and benchmark your team’s behavior and culture, we recommend reading What Is the Security Culture Maturity Model, and How Does It Benchmark Your Security Behavior and Culture Program?
Protecting Your Accounts Beyond MFA
MFA is important—but it shouldn't be your only defense. Our experience with Heygen highlighted how overlooked system vulnerabilities can still lead to account takeovers, even when MFA is enabled.
We still believe in the platform’s potential, but stronger protections are needed to keep users safe.
We encourage everyone to regularly review the security features of the tools they use and stay alert to evolving threats. If you’ve had similar experiences, we’d love to hear from you. By sharing stories and raising awareness, we can all contribute to stronger digital defenses.
To explore smarter, more effective approaches to security training, check out Keepnet’s latest guide: AI-Powered Hyper-Personalized Security Awareness Program: A Strategic Guide for Organizations.
SHARE ON