How do hackers get passwords? Sometimes, they just ask.

Cybersecurity breaches can often appear daunting, yet some hackers exploit surprisingly simple tactics. A recent incident involving The Clorox Company highlights this alarming trend. In 2023, the company fell victim to a significant breach that resulted in an estimated $380 million in damages, all initiated by a seemingly benign phone call. The hacker impersonated a Clorox employee, contacting the IT service desk and requesting a password reset along with multifactor authentication resets for Okta and Microsoft accounts. Astonishingly, the service desk complied without verifying the caller's identity. This lapse in security allowed the hacker to gain access to the network and subsequently impersonate another trusted IT security user. A second call to the service desk led to yet another password reset, further compromising Clorox’s security. Clorox has since filed a lawsuit against Cognizant, the outsourced IT service provider responsible for managing its service desk operations. The lawsuit accuses Cognizant of failing to adhere to even the most basic security protocols, stating that their negligence was a “devastating lie.” According to Clorox, Cognizant's staff lacked adequate training and awareness, allowing the cybercriminal to exploit the service desk without encountering any authentication barriers. Cognizant’s role was to protect Clorox’s network from such breaches, yet the incident underscores a critical vulnerability in cybersecurity practices. The lawsuit asserts that the firm was not misled by sophisticated hacking techniques but rather succumbed to a straightforward social engineering attack, where the hacker simply made a call and received access credentials without any verification. This case serves as a stark reminder of the importance of stringent security measures and training in the ever-evolving landscape of cybersecurity.