Reports of exposed cloud credentials drew attention to single-sign-on and federation hygiene, though details and scope were disputed.

A wave of breaches at Snowflake customers was attributed to stolen credentials and accounts without multifactor authentication, fueling major data theft.

Live Nation confirmed a breach of Ticketmaster data hosted in Snowflake, part of a campaign exploiting accounts without multifactor authentication.

Cisco Duo notified customers that a breach at a telephony provider exposed SMS multifactor message logs, underscoring the weakness of SMS-based MFA.

The Change Healthcare ransomware attack, one of the most disruptive in US healthcare, started with compromised credentials on a server lacking MFA.

Microsoft reported the Russia-linked Midnight Blizzard group accessed executive email after password-spraying a legacy test account without MFA.

23andMe attributed a large data exposure to credential stuffing against accounts that reused passwords and lacked MFA, later leading to settlements.

Okta disclosed that attackers accessed its support system using a stolen credential, exposing session tokens and prompting customers to harden configurations.

Attackers reportedly reset an employee credential via the help desk to breach MGM Resorts, a high-profile example of social engineering defeating identity controls.

Microsoft disclosed that a China-linked group, Storm-0558, forged authentication tokens using a stolen signing key to access email, intensifying scrutiny of token security.