YubiKey OTP leak — attack path

How a mistaken keypress becomes a valid 2FA code for anyone who sees it

1

Leak — OTP sent to Slack (or commit, email, …)

You meant to type in the message box but touched the YubiKey. The OTP is now visible to everyone in the channel.

Slack screenshot showing the leaked OTP Replace slack-screenshot.png in this folder with your screenshot.
2

Attacker sees the OTP

Anyone in the channel (or with access to the commit/email) can copy it. Unlike SMS or TOTP, the code does not expire — it stays valid until it (or a newer one from your key) is used.

3

Exploit — Attacker signs in as you

They paste the OTP into any service that accepts YubiKey (VPN, GitHub, Bitwarden, …). The server checks it with YubiCloud; it’s valid. They’re in.

Attacker pastes the OTP from your screenshot
Client ID for live YubiCloud verify (get one free)
YubiCloud response (status=OK = exploit works):
4

You invalidate the leak

You realize you leaked a code. Go to demo.yubico.com/otp/verify, touch your YubiKey again (don’t paste the old code), and submit the new OTP. That invalidates all previous OTPs for this key.

Open demo.yubico.com → submit new OTP
5

Same OTP can’t be used again

If the attacker (or you) tries to use the leaked OTP again, verification fails — REPLAYED_OTP or counter error. The mistaken keypress is no longer exploitable.