Fast Facts

• In August 2023, hackers breached Clorox by tricking a third-party help desk into resetting credentials - no technical hacking required.
• The attack led to nearly $380 million in damages, with major business disruptions and remediation costs.
• The attackers, linked to the Scattered Spider group, used social engineering - posing as locked-out employees over the phone.
• Credential theft and weak verification processes are behind nearly 45% of major data breaches, according to Verizon’s Data Breach Investigations Report.
• Outsourced service desks, if poorly managed, can become high-value targets granting attackers broad access across organizations.

When a Password Reset Breaks the Bank

Imagine a high-stakes bank vault where the combination isn’t cracked by a master thief, but handed over by a friendly receptionist after a convincing phone call. That’s essentially what happened to Clorox last August, when attackers sidestepped sophisticated defenses and walked straight through the front door - armed with nothing but charm and a script.

The group behind the attack, known as Scattered Spider, didn’t need exotic malware or zero-day exploits. Instead, they simply called the service desk managed by Cognizant, pretending to be Clorox employees locked out of their accounts. Without proper checks, service agents repeatedly reset passwords and multi-factor authentication (MFA) settings. This gave the attackers a launching pad to escalate privileges, eventually gaining domain-wide access and paralyzing Clorox’s operations.

The Human Factor: Social Engineering’s Costliest Trick

Social engineering attacks prey on human instinct - helpfulness, hurry, and habit. By gathering insider details and sounding legitimate, attackers can pressure frontline support staff to bend or ignore security rules. In Clorox’s case, court documents allege that agents skipped mandatory verification steps, violating both procedure and contract. The result? Production lines halted, orders processed by hand, shipments delayed, and a supply chain thrown into chaos.

This wasn’t the first time: Similar attacks have rocked giants like MGM Resorts and Caesars Entertainment, both hit by phone-based social engineering in 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that outsourced help desks are prime targets, as they often have broad, cross-company access and are overwhelmed by high call volumes - making them prone to shortcuts and mistakes.

Securing the Service Desk: Lessons from the Fallout

Why does outsourcing magnify the risk? Third-party vendors may control sensitive access for many clients, yet their processes can lag behind the latest threats. Weak verification, ambiguous scripts, and fragmented logging give attackers a perfect storm to exploit. The Clorox breach highlights the urgent need for:

• Robust, out-of-band identity verification - like callbacks or cryptographic challenges instead of easy-to-guess questions.
• Multi-person approval for high-risk resets and real-time alerts for suspicious activity.
• Immutable logging and integration with security monitoring tools to catch and contain attacks quickly.
• Regular social engineering simulations and contractually enforced standards for vendors, complete with audits and transparent reporting.

Ultimately, technology can help - but the real challenge is building a culture of vigilance. In a world where a single phone call can cost hundreds of millions, organizations must treat every password reset like a potential breach and every help desk agent as the last line of defense.

WIKICROOK

• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.
• Out: Out-of-Band Verification confirms identity using a separate channel, like a phone call or text, to enhance security and prevent unauthorized access.
• Domain Admin: A Domain Admin is a highly privileged account with full control over an organization’s computer network, making its security crucial.
• Immutable Audit Trail: An immutable audit trail is a permanent, tamper-proof record of actions, used to detect, investigate, and prevent suspicious or unauthorized activity.