Computer Security News and Insights
The Breach That Started Behind the Firewall In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered their way past the help desk with a single phone call. The attacker didn't punch through a firewall. They didn't exploit some exotic zero-day. They
In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise — the category that includes fakeemail schemes — caused over $2.9 billion in adjusted losses across roughly 21,489 complaints. That made it the single most financially damaging cybercrime category in the IC3's annual
The Breach That Changed How I Think About Cyber Security In February 2024, Change Healthcare suffered a ransomware attack that disrupted insurance claims processing for nearly every hospital and pharmacy in the United States. UnitedHealth Group later confirmed the breach affected approximately 100 million individuals — making it the largest healthcare
In 2023, a single reused password gave a threat actor access to 23andMe's credential-stuffing attack that exposed the data of nearly 7 million users. The attacker didn't exploit a zero-day vulnerability or deploy sophisticated malware. They just tried stolen passwords from other breaches — and millions of
In 2023, a single spear phishing email cost MGM Resorts an estimated $100 million in losses. The attacker didn't blast a million inboxes with a generic "Your account has been suspended" message. They researched an employee on LinkedIn, called the IT help desk impersonating that person,
A Teenager Breached Uber. No Malware Required. In September 2022, an 18-year-old compromised Uber's internal systems — not with a sophisticated zero-day exploit, but with a text message. The attacker bombarded an Uber contractor with multi-factor authentication push requests until the contractor finally approved one. From there, the threat
In late 2024, security researchers at Avanan documented a surge of phishing campaigns that weaponized legitimate DocuSign and PayPal infrastructure to deliver convincing credential theft attacks. The emails didn't come from spoofed domains. They came from the actual DocuSign and PayPal platforms — which is exactly why they sailed
One Click Cost This Company $100 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call. A threat actor called the help desk, impersonated an employee found on LinkedIn, and gained enough access to deploy ransomware across the entire
The Text Message That Cost One Company $15 Million In 2022, threat actors hit Twilio with an SMS-based social engineering attack that compromised employee credentials and exposed data for over 160 customers. The attack didn't involve a sophisticated zero-day exploit. It started with a text message pretending to
Last March, a finance director at a mid-size logistics company wired $2.1 million to a threat actor who had spoofed the CEO's email address. The message looked perfect — right tone, right signature, right sense of urgency. The only thing wrong was the reply-to domain, off by a
