Data Breaches Strike Through Third-Party Compromise (passwords are to blame, again)

-Brittney Liburd, Senior Manager, Product Marketing

In our May 30, 2021 blog, Why Organizations Need to Eliminate Passwords – Once and For All, we talked about how passwords have become a gateway to security risks. A few successful cyber breaches stand out on this front.

In early 2020, hackers infiltrated the file server of American software company SolarWinds, embedding malicious code into its “Orion” software product. The malware then infected thousands of enterprises, as well as the U.S. Treasury Department and other federal agencies, via compromised updates that the company unknowingly released. The alleged source vulnerability? In 2017, a SolarWinds intern unknowingly exposed the password for an internal server account, “solarwinds123”, to the public.

Recently, both Microsoft and Okta confirmed that LAPSUS$, an extortion-focused hacking crew, had gained access to its systems. Once again compromised credentials were flagged. A Microsoft spokesperson indicated that the breach was facilitated by means of a single compromised account.  LAPSUS$, which first emerged in July 2021, has targeted a wealth of companies since then, including Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, and most recently Ubisoft.

The group’s tactics are pretty standard, including phone-based social engineering schemes and  SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, and even bribing employees, suppliers, or business partners of companies for access. There are also reports that a practice called “MFA Bombing” was used to bypass weaker legacy authentication such as one-time passwords sent by SMS or push authentication prompts sent to a mobile device.

What Should Your Organization Do?

Its time for corporate security teams to take notice. To limit the impact of a third-party breach on your organization, take these five easy steps:

Secure your entire supply chain to defend against a third party’s system being compromised

  • Make sure that each vendor and partner that your company works with has strong MFA enabled at every security level. One vendor without this protection will always be the weakest link

Never trust, always verify

  • Assume a device or user is bad until proven otherwise
  • Require multifactor authentication and eliminate transient and implicit trust for all access
  • Defend networks and systems against lateral movement

Make access decisions in real-time and keep records of every authentication transaction

  • All access decisions should be independent of previous access
  • Many of the aforementioned breaches allowed access for several days  – this type of transient trust that allows access for multiple transactions over several days should be avoided

Limit user access

  • Implement rules for least access – it appears that Microsoft and Okta were able to reduce the blast radius of compromise through this mechanism
  • Permit user access on a need to know basis to limit the amount of damage from any one user

Remember – there’s no such thing as a good password

  • Passwords are the hacker’s easiest way to gain access and contribute to everything from theft to ransomware lockout—so removing passwords greatly reduces risk
  • There has been a lot of emphasis on protecting the front door through passwords and MFA—but backdoors (e.g. password resets) are just as important to secure
  • The key is to remove passwords and shared secrets everywhere–including for account recovery


As geopolitical tensions increase, attacks on infrastructure and private entities are expected to increase. Passwords are the easiest way to break in. And password resets using standard MFA approaches are also vulnerable to attack. Cybercriminals can reroute or capture one-time SMS passcodes and compromise challenge questions that rely on easy-to-hack, personally identifiable information (PII) data. 

Once an organization’s network is compromised directly or through a third party, the potential for damage caused by a hacker is not limited to the company but to its customers, employees, and assets. 

With authID‘s Verified™ solution, organizations can replace password risk and vulnerabilities from the internal MFA workflow using cloud-based, facial biometric authentication with anti-spoofing “liveness confirmation” that verifies the true account owner seamlessly.  This pioneering AI-powered technology delivers bias-free identity certainty through a strong system that relies on authenticating the user, not just the device. The result is a more secure, user-friendly identity authentication experience. Verified™ is device agnostic, provides secure message delivery, and allows for self-service recovery using biometrics. 

Want to learn more? Contact today at 1 (516) 778-5639 or click here to schedule a demo.