Explore strategies and tools to defend against credential theft attacks, including password spraying, keylogging, and credential stuffing. This tag covers best practices for safeguarding login credentials, implementing multi-factor authentication, and detecting compromised accounts before attackers exploit them.
posts
A Castle With No Walls Left to Defend In January 2024, Microsoft disclosed that the Russian threat actor Midnight Blizzard had compromised executive email accounts — not by breaching a firewall, but by password-spraying a legacy test tenant account that lacked multi-factor authentication. The attackers moved laterally for weeks before detection.
In March 2024, a finance employee at a multinational firm wired $25 million to threat actors after a deepfake video call that impersonated the company's CFO. The attack started with a single phishing email. That one message opened the door to a loss most companies would never recover
In 2024, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The threat actor didn't exploit a zero-day vulnerability or deploy some exotic malware. They impersonated an employee. That's it. And it
In early 2024, threat actors exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances so aggressively that CISA issued an emergency directive ordering federal agencies to disconnect the devices entirely. Not patch them. Disconnect them. That moment should have been a wake-up call: having a VPN isn't enough.
The Industry That Can't Afford a Single Mistake In November 2023, the SEC fined several financial advisory firms a combined total of nearly $750,000 for cybersecurity failures following credential theft incidents that exposed thousands of customer records. The firms had the basics — firewalls, antivirus — but lacked the
The Breach That Started With a Single Unpatched System In February 2024, UnitedHealth Group's subsidiary Change Healthcare suffered a ransomware attack that disrupted healthcare payment processing across the United States for weeks. The attackers gained access through a Citrix remote access portal that lacked multi-factor authentication. One system.
In January 2023, T-Mobile disclosed that a threat actor exploited an API vulnerability to steal personal data on 37 million customer accounts. Not through some exotic zero-day — through a misconfigured web API that had been leaking data since November 2022. That's two months of silent hemorrhaging before anyone
In May 2025, the FBI's Internet Crime Complaint Center reported that phishing and its variants remained the number-one reported cybercrime for the fifth consecutive year, with losses tied to business email compromise alone exceeding $2.9 billion annually in recent reports. I've spent over two decades
In March 2025, a mid-size healthcare provider in the Midwest lost 1.4 million patient records because one employee in accounts payable clicked a link in a fake DocuSign email. The organization had antivirus software, a firewall, and an email gateway. What they didn't have was a phishing
In March 2024, a finance employee at a multinational firm in Hong Kong wired $25.6 million to threat actors after a deepfake video call convinced him his CFO had authorized the transfer. One employee. One convincing lure. Twenty-five million dollars gone. That's not a hypothetical — it'
