Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.
posts
A Single Stolen Password Cost This Company $60 Million In 2023, MGM Resorts International was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call. A threat actor called the help desk, impersonated an employee found on LinkedIn, and gained access to internal systems. The
Welcome to the Phish Tour Nobody Asked For In March 2024, MGM Resorts was still tallying the damage from a social engineering attack that started with a single phone call. The threat actor convinced a help desk employee to reset credentials. Total estimated cost: over $100 million. That attack didn&
A Marketing Team's Slack Alternative Nearly Took Down an Entire Hospital Network In 2023, a regional healthcare system discovered that its marketing department had been using an unapproved messaging platform for over 14 months. Nobody in IT knew. The platform stored patient-adjacent data with no encryption, no access
In 2023, a single phishing email gave threat actors access to MGM Resorts' entire IT infrastructure. The attackers impersonated an employee on a help desk call — a technique they refined through information harvested from a phishing campaign. The result was over $100 million in losses and days of operational
76,000 Victims and Counting — The FBI's Smishing Alert Is Serious In early 2024, the FBI and FTC issued urgent warnings about a massive smishing campaign impersonating toll collection agencies and delivery services across all 50 states. By late 2025, the IC3 had cataloged tens of thousands of
The Breach That Started With "Company123!" In 2024, the credential stuffing attack against Roku compromised over 576,000 accounts. The attackers didn't exploit some exotic zero-day vulnerability. They used passwords stolen from other breaches and tried them against Roku accounts — because people reuse passwords everywhere. That
The Breach That Started With One Reused Password In 2022, a single employee at LastPass reused credentials across personal and work accounts. A threat actor exploited that overlap, eventually compromising encrypted password vaults for millions of users. The irony — a password management company breached because of poor password hygiene — should
In 2024, MGM Resorts lost roughly $100 million after a social engineering attack that started with a single phone call to their help desk. The attacker didn't exploit a zero-day vulnerability. They didn't brute-force a password. They manipulated a human being. And that's the
In September 2022, a teenager allegedly convinced an Uber employee to hand over access credentials through a simple text message. No zero-day exploit. No sophisticated malware. Just a convincing story and a target who didn't verify the request. That single social engineering attack gave the threat actor access
A Single Email Cost This Company $100 Million In 2017, a Lithuanian man tricked Google and Facebook employees into wiring over $100 million to bank accounts he controlled. His weapon wasn't malware. It wasn't a zero-day exploit. It was email. He sent invoices that looked like
