Identity Breach Teardowns: What Went Wrong and How to Defend

6 analyses

Identity breach teardowns

Real identity-driven incidents, broken down for practitioners: what happened, the root cause, the lesson, and how to defend against the same pattern. Most modern breaches are not clever exploits. Attackers log in with stolen credentials, abuse weak recovery, or ride a stolen session. These teardowns show how, and what stops it.

Snowflake customers (Ticketmaster, others) · May 2024 · Stolen credentials from infostealers, accounts without MFA
The 2024 Snowflake customer breaches: stolen credentials meet missing MFA
A campaign against Snowflake customer tenants showed what happens when stolen credentials meet accounts without MFA: dozens of breaches, no platform vulnerability required.
Cross-industry · Jan 2024 · Stolen session cookies and tokens that bypass MFA
Infostealers and session hijacking: stealing the session, skipping the login
Infostealer malware has made stolen session cookies a primary attack path, letting attackers ride an authenticated session and skip both the password and MFA entirely.
Microsoft · Jan 2024 · Password spray on a legacy account without MFA, abused OAuth app permissions
Midnight Blizzard vs Microsoft: a legacy test account and an over-permissioned OAuth app
How a Russia-linked group reached Microsoft corporate email by password-spraying a forgotten test tenant and abusing OAuth application permissions, a lesson in legacy accounts and consent risk.
Okta · Oct 2023 · Stolen credential and session tokens in support uploads
Okta's 2023 support-system breach: when your IdP gets phished
How attackers used a stolen credential to read Okta support cases and harvest session tokens, why HAR files were the weak link, and what it taught the industry about protecting the identity provider itself.
MGM Resorts, Caesars, and others · Sep 2023 · Help-desk social engineering to reset credentials and MFA
Scattered Spider and the help desk: social engineering the identity reset
Scattered Spider showed that the fastest way past strong authentication is often a phone call to the help desk. Here is the pattern and how to close it.
Multiple (Uber and others) · Sep 2022 · Repeated push prompts until a user approves
MFA fatigue and push bombing: defeating MFA without breaking it
Push-based MFA can be defeated not by breaking the cryptography but by wearing the user down. Here is how MFA-fatigue attacks work and why number matching and phishing-resistant methods matter.

Analyses are compiled from public disclosures and incident reports and link to primary sources. Independent and community-driven. See the disclaimer.