Business owners, IT managers, security teams: 2025 hybrid / remote work is like a minefield. Coffee-shop logins, SaaS chaos, weak passwords everyone uses or sticks straight onto a sticker on a machine.

What we see is: 22% of breaches start with stolen credentials (Verizon DBIR 2025).

Average cost per incident for a company is $4.88M (IBM Cost of a Data Breach 2024). And the scariest part; most attacks aren't zero-days, just criminals using social engineering and exploiting the human side of IAM.

Let's start with are three real and loud scenarios that already happened:

---

Major cybersecurity incidents 2022–2023

Okta Breaches (2022–2023)

What happened

- 2022 (LAPSUS$ attack): Teen hackers compromised a third-party support engineer's account at a subcontractor. They gained ~5 weeks of full access to internal Slack and Jira instances containing sensitive data of 366 Okta customers.

- 2023 (Compromised Customer Support): Later on, we see a group using social-engineered attacks to penetrate into Okta's help-desk, convincing support staff to send HAR files containing active session cookies and tokens. Thousands of customer sessions exposed.

Root cause

- Overly permissive third-party access

- Weak or missing MFA enforcement for support partners

- Help-desk procedures that allowed session token sharing and MFA reset bypass

Impact

- Multiple class-action lawsuits

- Significant stock price drops after each disclosure

- Massive follow-on phishing and account-takeover wave against affected customers

---

RedLine Stealer – the dominant Infostealer (2020–2024)

What happened

RedLine was the most popular, and also cheapest (~$100–$200 lifetime license) information stealer sold on Russian-speaking forums. It spread primarily through fake game cracks, software activators, malicious Discord attachments, and Nitro scams.

Once executed, it may harvest a ton of things, including:

- Saved passwords & cookies from all major browsers

- Cryptocurrency wallet files

- 2FA authenticator data

- Session tokens for Steam, Discord, etc.

Root cause

- Users running untrusted executables on personal/work devices

- Password reuse and browser auto-fill

- Lack of endpoint protection on employee personal laptops

Impact

- A vast % of all credential logs sold on major dark-web markets in 2020's originated from RedLine

- Real-world example: Iranian crypto exchange Nobitex wallets were drained for USD 81.7M in 2025 after it supposedly had RedLine on employees laptops, since 2023-2024.

---

MGM Resorts Ransomware Attack (September 2023)

What happened

Scattered Spider (operating under the alias "ALPHV/BlackCat"):

1. Identified MGM help-desk phone numbers and employee names via LinkedIn

2. Called the help-desk pretending to be legitimate employees

3. Used basic vishing techniques ("I'm locked out, traveling urgently, can't receive SMS") to convince staff to approve MFA reset requests for ~10 high-privileged accounts

No malware. No technical exploit. Within minutes of gaining initial access, attackers escalated privileges, deployed ransomware, and shut down critical systems that lasted days (Forbes).

Root cause

- Insufficient verification during MFA reset requests

- Help-desk staff trained to be "customer-friendly" rather than security-first

- No mandatory call-back verification to a known number

Impact

- Entire casino and hotel operations (slot machines, room keys, reservations) offline for ~10 days

- $100 million revenue loss (confirmed by MGM CEO Bill Hornbuckle during Q3 2023 earnings call and SEC filings)

- Additional extortion payment (undisclosed) and recovery costs

- Wave of copycat vishing attacks against other casino operators

---

Why IAM Keeps Breaking

Think of IAM like a luxury high-rise you spent millions securing: biometric locks on the penthouse, 24/7 concierge, cameras in every hallway—yet everything collapses the moment someone props open the service entrance with a brick.

Here's what keeps happening:

Outdated or weak MFA methods

SMS and TOTP-based MFA remain the default. MFA fatigue attacks (push-bombing) work alarmingly well—Microsoft observed 382,000 MFA fatigue attacks over a 12-month period, with ~1% of users accepting the very first unexpected prompt.

Attackers bombard victims with push notifications until they click "Yes" out of annoyance or panic. And SIM-swapping still defeats SMS MFA in 2025.

Saved passwords & session cookies in browsers

Employees save corporate credentials in Chrome/Edge/Firefox "for convenience." A single RedLine or Raccoon infostealer infection on a personal laptop = instant jackpot. Cookies and session tokens get stolen even when passwords are "manager-protected."

Valid cookies = MFA bypass paradise.

Shadow IT and unmanaged SaaS accounts

Employees spin up hundreds of unsanctioned SaaS tools (Notion, Figma, ChatGPT Enterprise, random AI startups). These "ghost" accounts use corporate email but stay invisible to IT and IAM systems. When an employee leaves, these accounts stay active forever—perfect entry points for account takeovers.

Over-permissioned accounts and help-desk Shortcuts

"Just make me global admin for five minutes" culture never died. Help-desks still reset MFA after a 2-minute phone call (Google MGM 2023, Uber 2022, Twilio 2022, Cisco 2023…).

One compromised privileged account = full domain or cloud tenant takeover in under 10 minutes.

Lack of phishing-resistant training

36% of all breaches still start with phishing or social engineering (Verizon DBIR 2024). Most employees still click suspicious links, approve MFA bombs, or give away codes when someone sounds authoritative.

Annual 10-minute CBT isn't training—it's compliance theater.

The reality check

You finally enforced hardware keys for all admins → attacker calls the help-desk, says "I lost my YubiKey on a business trip," and gets MFA reset in four minutes.

All your fancy tools, budgets, and policies—defeated by a 19-year-old with a burner SIM and confidence.

That's why IAM doesn't just "break" without proper training. It gets humiliated, publicly and repeatedly.

---

Non-negotiable moves that close 90% of the attack surface

You don't need seven complicated things. You need three to securing your environment:

1. Kill password logins for privileged accounts—replace with passkeys or hardware security keys

No more saved passwords, stolen cookies, MFA fatigue, or "I lost my phone" help-desk resets.

FIDO2/passkeys are phishing-proof and already supported by Microsoft, Google, Apple, Okta, and Duo. Start with admins and third-party vendors.

2. Enforce true Zero-Trust verification on every login

Impossible travel, new device, weird user-agent, or anomalous behavior = step-up auth or auto-block.

Modern Conditional Access tools (Microsoft Entra, Google BeyondCorp, Cloudflare Zero Trust, CrowdStrike Identity) do this out of the box. Flip the policies from "warn" to "block."

3. Make help-desk MFA resets impossible without callback to a pre-registered number or manager approval

This single change would have stopped MGM, Uber, Cisco, Twilio, and half of 2023's biggest breaches.

---

Everything else: quarterly access reviews, certificate-based auth for service accounts, monthly simulated phishing campaigns, AI-powered anomaly detection, dark-web monitoring for leaked credentials. Do those next, but the three above is a baseline

Team training that works

Most phishing awareness programs feel like mandatory health class in high school: 45 minutes of "don't click bad links," followed by a multiple-choice quiz everyone looks up on ChatGPT.

Employees actually hate it, retention and engagement is near zero, and the next real phish still gets 40% click rate because it's so sophisticated.

Turn defense into a sport, make it a competitive and fun thing.

Make phishing training a game people want to play

- Monthly "Phish Hunt" campaigns: Send real-looking (but safe) simulated emails via KnowBe4, Hoxhunt, or Proofpoint. First "X" people who correctly spot and report it win.

- Real prizes: 1st place gets $200–$500 bonus or extra vacation day. Top 10 get gift cards, AirPods, mechanical keyboards.

- Red Team vs Blue Team events (quarterly): External pentesters run a real vishing + phishing day. Defending team that blocks or reports the most attempts wins the pot.

Why This Works

People compete over fantasy football, Duo Lingo, and Wordle streaks... They'll absolutely compete over not being the person who clicks ransomware. Positive reinforcement beats fear and shame every time.

After 3–6 months, reporting suspicious emails becomes reflex because it's socially rewarded.

Companies that switched to gamified training (Cloudflare, Shopify, and others) routinely see huge improvements:

- Report rates jump from <5% to ~70%

- Successful test clicks drop below 3%

- Employees start policing each other ("dude, you fell for the fake Netflix one, you owe us coffee")

Alternatively, incorporate platforms like SoSafe for employee security traning that doesn't suck.

Bottom line: Stop treating employees like the weakest link. Start treating them like your most motivated security sensor network. Give them a scoreboard and a prize, watch the culture flip overnight.

---

The Automation Lifeline

Manual IAM audits = burnout. AI-powered platforms like Qualys VMDR, CrowdStrike Falcon Identity Protection, or Snyk continuously hunt exposed credentials, misconfigs, and shadow accounts.

Organizations using AI extensively lowered financial burden to $1.9M per breach on avg and cut detection time y 80 days (IBM Cost of a Data Breach 2024).

What’s next?

Begin by implementing measures mentioned in the article, and next up – secure your organization's infrastructure today with Deepengine!

Reach out to us, if you need help with getting started.

Detect weak credentials

Minimize cyber-risks by securing the infrastructur

Start 2-wk Trial