Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.
posts
A Single Misconfigured Bucket Cost Them Everything In 2023, Toyota disclosed that a cloud misconfiguration had exposed the vehicle location data of 2.15 million customers for over a decade. The root cause wasn't a sophisticated threat actor. It was a single storage bucket set to public instead
The Text Message That Cost a Company $15 Million In 2022, Twilio disclosed a breach that started with a simple SMS message. Employees received text messages impersonating the IT department, directing them to a fake login page. Several entered their credentials. That single vector — mobile phishing attacks delivered via text
A few years ago, a journalist filmed himself reading credit card numbers, PINs, and passwords off the screens of commuters on a London train. No malware. No exploit kit. Just a pair of eyes and a decent camera phone. That's a shoulder surfing attack in its simplest form
The CEO Who Wired $47 Million to a Threat Actor In 2016, Austrian aerospace manufacturer FACC lost €42 million (roughly $47 million) after attackers impersonated the company's CEO via email and convinced an employee in the finance department to transfer funds for a fake acquisition project. The CEO
In April 2024, a credentials dump containing over 26 billion records — dubbed the "Mother of All Breaches" — surfaced on dark web forums. LinkedIn, Twitter, Dropbox, Adobe, and hundreds of other platforms were represented. Within weeks, threat actors were using those credentials in automated stuffing attacks against small and
Your Employees' Passwords Are Probably Already There In 2023, the FBI's Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion — and a significant share of that activity traces back to credentials and data traded on dark web marketplaces. If you&
In January 2024, a massive dataset known as the "Mother of All Breaches" surfaced containing 26 billion records — credentials scraped, aggregated, and repackaged from hundreds of previous data breaches. Usernames. Passwords. Email addresses. All of it sitting on dark web forums, available to anyone willing to pay. If
A Single Password Got Them Into the Colonial Pipeline In May 2021, a single compromised password on an inactive VPN account gave the DarkSide ransomware group access to Colonial Pipeline's network. There was no multi-factor authentication on that account. The attackers didn't need a sophisticated zero-day
A Single Stolen Password Cost One Company $60 Million In 2023, MGM Resorts lost an estimated $100 million after a threat actor used social engineering to take over an employee's account through a help desk call. The attackers didn't hack a firewall. They didn't
A Single Stolen W-2 Cost This Company $1.6 Million In 2023, a mid-size manufacturing firm in Ohio lost control of every employee's W-2 data after one payroll clerk fell for a CEO impersonation email. The threat actor filed fraudulent tax returns before anyone noticed. The cleanup — credit
