Cambridge: 01223 209920        London: 020 3519 0124        Ireland: +353 1697 2287        Sheffield: 0114 349 8054        Suffolk: 0144 059 2163         Email: Lucy@breathetechnology.com

breathe technology

infrastructure | support | security | cloud

Another good reason to enforce MFA

By MerciaPosted on Posted in Uncategorized

(This is a threat many organisations do not see coming … Watch the video summary at the end or read the full article below.)

What would happen if someone got hold of one of your employees’ passwords from years ago?

Not a password they’re using today. Not one they even remember.

Just an old one that never got changed, because that’s exactly how a recent, large-scale data-theft campaign worked.

A recent investigation by a cyber security firm uncovered a new hacking campaign. Sensitive business data from dozens of organisations around the world was quietly collected and later put up for sale on the dark web.

Different industries. Different countries. Different sizes of organisations.

One thing kept coming up again and again.

Every affected organisation had allowed staff to log into important cloud systems using nothing more than a username and password. No second step. No extra check. Just type your password and you’re in.

This is where MFA comes in.

Multi-factor authentication simply means using more than one piece of evidence to prove it’s really you. Usually that’s your password plus something else, like a code on your phone, a notification you approve, or a fingerprint.

So even if someone steals your password, they still can’t get in.

In these cases, MFA wasn’t enforced.

So how did the attackers get hold of the passwords in the first place?

They relied on something called infostealing malware. That’s a type of malicious software that can end up on a computer without the person using it realising.

Once it’s there, it quietly collects saved passwords, login details, and other sensitive information, and sends it back to criminals.

This doesn’t only happen on office computers. It can happen on home devices, personal laptops, or any machine that’s ever been used to log into work systems.

When those details are stolen, they don’t always get used straight away. And this is the part that really matters.

Some of the passwords used in this campaign were years old.

That tells us two important things:

  • Passwords weren’t being changed often enough
  • Old logins were still being trusted long after they should have been invalidated

In other words, a device infected a long time ago could suddenly become a serious problem today.

This has been described as a “latency” issue. The threat sits quietly in the background, waiting. An old mistake doesn’t disappear just because time has passed.

The attackers would have been stopped if MFA had been switched on.

They had the passwords, but they didn’t have the second factor. No phone. No app. No approval tap. That one extra step would have turned a successful break-in into a dead end.

This is why security professionals (like us) keep saying the same thing, repeatedly: Passwords on their own are no longer enough.

We know one of the most common reactions to MFA is, “But it’s annoying”. And yes, it does add an extra moment to the login process.

However, compare that to what happens when a password nobody remembers is still valid years later. When confidential files can be copied, sold, or quietly taken without anyone noticing until it’s too late.

MFA turns a stolen password into a useless piece of information. And that’s why enforcing MFA isn’t overkill anymore, it’s sensible.

If there’s one lesson here, it’s a simple one: Old passwords don’t expire on their own. One extra lock on the door makes all the difference.

Need help getting set up? Get in touch.

☎️ Camb: 01223 209920     ☎️ London: 020 3519 0124
☎️ Suffolk: 0144 059 2163    ☎️ Sheffield: 0114 349 8054

💻 www.breathetechnology.com | 📧 lucy@breathetechnology.com

Watch our short video below:

[preloadyoutube ytid=xU-gVNea0ak]

Download the Outsourced IT Support Checklist

Every Manager responsible for IT (Finance, Office Manager, Ops etc), that's not an IT Manager by profession should review their IT Support experience. How do you know if your expectations are realistic, is the team performing, are you at risk and didn't realise? Do you have doubts? Or are they simply great,

This Check Outsourced IT Support Checklist has been created, after performing hundreds of IT Audits over more than 20 years, revealing the most commonly found problems caused by IT Support Providers.

How does yours compare? Download for free today!

(PS. Your details remain confidential and will never be shared with anyone else)