In May 2023, the FBI's Internet Crime Complaint Center reported that business email compromise — the category that includes every CEO fraud email scam — caused adjusted losses exceeding $2.7 billion in 2022 alone. That made it the single most financially devastating cybercrime category the FBI tracks. Not ransomware.
In January 2022, a European subsidiary of the Japanese manufacturer Nikkei lost $29 million after a single employee followed wire transfer instructions from a fraudulent email that impersonated a senior executive. That wasn't a failure of firewalls or endpoint detection. It was a surgical, well-researched executive phishing attack
In December 2020, security firm FireEye discovered that SolarWinds — a company most people had never heard of — had been compromised by a threat actor who injected malicious code into a routine software update. That single update shipped to roughly 18,000 organizations, including the U.S. Treasury, the Department of
In March 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives related to the 3CX supply chain compromise — a desktop phone app used by over 600,000 organizations globally. Threat actors had trojanized the software update itself, meaning every company that trusted the vendor's legitimate update
The Breach That Didn't Start With You In January 2023, Mailchimp disclosed its second breach in under a year — this time through a social engineering attack on an employee. But the real damage radiated outward. Every company using Mailchimp as a vendor suddenly had a problem they didn&
The $350 Million Lesson Marriott Learned After Closing the Deal When Marriott acquired Starwood Hotels in 2016, the deal looked like a hospitality industry win. What nobody caught during cybersecurity due diligence was that Starwood's reservation system had been compromised since 2014. The breach wasn't discovered
In January 2023, the FBI and international law enforcement took down the Hive ransomware group's dark web infrastructure, seizing servers that had processed over $100 million in ransom payments from hospitals, school districts, and financial firms. That operation gave the public a rare, concrete look at what the
In January 2023, Norton LifeLock disclosed that attackers used credential stuffing to compromise roughly 6,450 customer accounts. The passwords didn't come from a Norton breach. They came from stolen credentials dark web marketplaces had been selling for months — maybe years. The attackers simply bought username-password combos from
23 Billion Stolen Credentials Are Already For Sale In January 2023, cybersecurity researchers at Digital Shadows reported over 24.6 billion stolen username-and-password pairs circulating on dark web marketplaces. That's roughly three credentials for every person on Earth. And every single one of them is a loaded weapon
In March 2023, the FBI and CISA issued a joint advisory warning that threat actors were actively using brute force techniques to compromise healthcare and public health sector organizations. These weren't sophisticated zero-day exploits. They were automated scripts guessing passwords — millions of combinations per minute — until one worked.
