posts
The Breach That Made "Trust But Verify" Obsolete In January 2024, Microsoft disclosed that a Russian state-sponsored threat actor known as Midnight Blizzard had compromised executive email accounts — not by exploiting some exotic zero-day, but by password-spraying a legacy test tenant account that lacked multi-factor authentication. One overlooked
In January 2023, T-Mobile disclosed that a threat actor had been siphoning data from 37 million customer accounts since November 2022 — through a single exploited API. The attacker moved laterally for weeks without triggering alarms. If you've ever wondered what is zero trust and why the entire industry
In May 2021, a single compromised password shut down the Colonial Pipeline and triggered fuel shortages across the eastern United States. The attackers used a legacy VPN account that had no multi-factor authentication. One credential. No additional verification. That's all it took to paralyze critical infrastructure. If you&
The SolarWinds Hack Just Proved Your Perimeter Is an Illusion As I write this in December 2020, we're watching the SolarWinds supply chain attack unfold in real time. Threat actors — likely nation-state sponsored — compromised a trusted software update to infiltrate the U.S. Treasury, the Department of Commerce,
