As more sites and services offer and require multi-factor authentication (MFA), cyber threat actors have turned to various methods to bypass this additional protection. From these attempts, actual account holders may receive unprompted one-time passcodes (OTPs). Receiving an OTP sent as an email or text should be a cause for concern as it likely means the account holder's credentials have been stolen, but there are steps to take to stop the activity in its tracks.

Stolen credentials are often retrieved via phishing attacks, credential stuffing attacks, social engineering, or via information stealing malware strains. They can be placed for sale on dark web marketplaces, where other threat actors can buy account access and carry out various forms of financial fraud and theft. So what should you do if you receive a OTP? Assume your credentials were stolen and log directly into the site, service, etc. in question, without clicking on any links in text messages or emails, to change your password. It is also important to not think that since MFA protected your account you no longer need to change your password. This is a false sense of security. Additionally, if a site provides support for authentication apps, hardware security keys, or passkeys, you should use one of these options instead as they’ll require a threat actor to have access to your device to pass the MFA challenge. Read more at Bleeping Computer.