Reviews

After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords

By: Chaim Potok

Date:

Share:

After 0M hack, Clorox sues its “service desk” vendor for simply giving out passwords



Hacking is hard. Well, sometimes.

Other times, you just call up a company’s IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset… and it’s done. Without even verifying your identity.

So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.

So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the “debilitating” breach was not its fault. It had outsourced the “service desk” part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.

In the words of a new Clorox lawsuit, Cognizant’s behavior was “all a devastating lie,” it “failed to show even scant care,” and it was “aware that its employees were not adequately trained.”

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” says the lawsuit, using italics to indicate outrage emphasis. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”

I can has password reset?

From 2013 through 2023, Cognizant had helped “guard the proverbial front door” to Clorox’s network by running a “service desk” that handled common access requests around passwords, VPNs, and multifactor authentication (MFA) such as SMS codes.



Source link

Chaim Potok
Chaim Potok

━ more like this

Reviews

A new breed of Android flagships is coming and it should make Samsung nervous

0
A new wave of Android flagships is on the horizon, and they’re not playing it safe. The biggest shift is that these phones...
Gear

Watch the trailer for Science Saru’s Ghost in the Shell anime series

0
A new trailer has given us our best look yet at the upcoming The Ghost in the Shell anime. While it might not...
Reviews

Apple is opening Siri to pick AI models, but there’s only only that makes sense to me 

0
Apple promised us a smarter, more capable Siri at WWDC 2024. The pitch was compelling: a Siri that understands your personal context, digs...
Reviews

YouTube CEO opens up about AI slop, and it sounds like cozy promises

0
YouTube is in a slightly tricky position right now. On one hand, it’s encouraging creators to use AI tools to make content faster...
Reviews

Meta’s next smart glasses sound like a treat for humans stuck with prescription lenses

0
For the billions of people who rely on corrective glasses every day (including me), smart glasses have always been a slightly awkward conversation....
spot_img
Previous article
AI video is invading YouTube Shorts and Google Photos starting today
Next article
What to know about ToolShell, the SharePoint threat under mass exploitation

Tech Reader is a Tech News magazine, publishing all about technology, gears, apps, mobile and reviews. Take your time and immerse yourself in this amazing experience!

━ about

━ follow us

━ subscribe

© Tech Reader - All rights reserved.