Ever thought a simple “forgot password” call could cost a company nearly $400 million? Sounds crazy, right? But that’s exactly what happened to Clorox after hackers executed a brilliant little trick with their help desk. It really makes me consider how often I casually reset my own passwords.
The miserable part is the agents reset their passwords, and MFA should, without ever meaningfully verifying their identities. Imagine dialing in authentically and saying to the agent, “Hey, I am locked out, can you help me reset my login” and the agent replying, “Sure thing, buddy.”
• $380M in total damage.
• About $49M just in remediation and
• The remainder in business-interruption loss.
For a company like Clorox, this is more than just a bad day in the office; this is financial Armageddon.
Think about the accounts you own. Have you ever reused the same weak password? Have ever trusted someone too quickly? Hackers can take advantage of all of that; and it’s not always code, sometimes it’s simply asking nicely.
• Out-of-band verification: Call back on official numbers or use one-time tokens.
• Two-person approval: Major actions (e.g. resetting MFA) should require a secondary set of eyes.
• Temporary suspension of access: In the event of suspicious activity, terminate admin access requests without undue delay.
• Third-party audits: When outsourced support is a thing, ask how regularly they test/quantify against social engineering threats.
It sounds basic, right? And, missing these four steps will put you anywhere from zero to a factor of .5 billion ($0 to $400 million) behind.
The Hack That Started With A Phone Call
One of the members of a group named Scattered Spider executed a social engineering attack in August 2023. Instead of smashing through firewalls or releasing some ridiculous next-gen malware, they called Clorox’s outsourced help desk (which is run by Cognizant) and pretended to be locked-out employees.The miserable part is the agents reset their passwords, and MFA should, without ever meaningfully verifying their identities. Imagine dialing in authentically and saying to the agent, “Hey, I am locked out, can you help me reset my login” and the agent replying, “Sure thing, buddy.”
The Damage That Followed
Once the attackers had injection points, however, they got busy in escalating privileges, took the domain administrator rights, and propagated across Clorox’ systems in short order. The damage resulting from this incident is:• $380M in total damage.
• About $49M just in remediation and
• The remainder in business-interruption loss.
For a company like Clorox, this is more than just a bad day in the office; this is financial Armageddon.
Why This Matters to Everyone
Now, you’re probably thinking “Well, I don’t run a global corporation, so what do I care?” But here’s the kicker; this just shows that tiny cracks in human processes can often lead to large scale chaos.Think about the accounts you own. Have you ever reused the same weak password? Have ever trusted someone too quickly? Hackers can take advantage of all of that; and it’s not always code, sometimes it’s simply asking nicely.
Lessons Learned (and What Companies Should Do)
If I were running help desk, these fixes would be set in stone:• Out-of-band verification: Call back on official numbers or use one-time tokens.
• Two-person approval: Major actions (e.g. resetting MFA) should require a secondary set of eyes.
• Temporary suspension of access: In the event of suspicious activity, terminate admin access requests without undue delay.
• Third-party audits: When outsourced support is a thing, ask how regularly they test/quantify against social engineering threats.
It sounds basic, right? And, missing these four steps will put you anywhere from zero to a factor of .5 billion ($0 to $400 million) behind.