Thinking · Archive
Archive
Older identity incidents, research, and analyst notes — kept for reference.
Incident
Incident · Archive
Change Healthcare: 192M Individuals Exposed, No MFA
ALPHV/BlackCat used stolen credentials on a Citrix portal without MFA. Result: the largest healthcare breach in US history.
Microsoft Breached via Legacy Test Account Without MFA
Russian APT29 password-sprayed a forgotten test tenant without MFA, then abused OAuth applications to escalate into executive mailboxes.
Okta Breach Affected All Customer Support Users
Credentials from an employee's personal Google account provided access to Okta's support system, exposing data across the entire customer base.
Cloudflare Thanksgiving 2023: One Unrotated Token, One Atlassian Estate
A nation-state actor used a service token and three service-account credentials stolen in the October 2023 Okta support breach. Cloudflare had not rotated them because they were believed to be unused. The attacker reached Atlassian, then 76 code repositories.
23andMe Credential Stuffing: 6.9M Records via Genetic-Relative Graph
Attackers credential-stuffed about 14,000 23andMe accounts. Through the platform's DNA-Relatives feature, those compromised accounts pivoted into the profile data of 6.9 million additional users. The blast radius came from a feature, not from the IdP.
MGM Resorts: $100M Loss from a 10-Minute Phone Call
Scattered Spider impersonated an employee in a 10-minute call to the IT help desk and obtained Okta + Azure admin access.
Microsoft Storm-0558: A Single Signing Key Across 25 Organisations
A China-based actor used a stolen Microsoft consumer signing key to forge access tokens for Outlook Web Access and Outlook.com, then leveraged scope-validation gaps to reach enterprise tenants. ~25 organisations were affected; some US government accounts were among them.
T-Mobile API Abuse: 37 Million Records via a Single Endpoint
T-Mobile disclosed in its January 2023 8-K that an attacker exfiltrated personal data on 37 million customers by abusing a single API endpoint over six weeks. There was no infrastructure compromise — the API authentication and rate-limiting were the gap.
NHI & AI
NHI & AI · Archive
OWASP Publishes First Non-Human Identity Top 10
OWASP's first-ever NHI-specific risk list codifies the most critical risks from API keys, service accounts, OAuth tokens, and machine identities.
Forrester AEGIS: Treat AI Agents as First-Class Identities
Forrester's AEGIS framework (Agentic AI Enterprise Guardrails for Information Security) says AI agents should be managed as first-class identities through standards-based IAM, and adds a principle worth naming: least agency, constraining not just what an agent can access but what decisions it is allowed to make.
Machine Identities Outnumber Humans 80:1
CyberArk's global survey found machine identities outnumber human identities by over 80:1. Nearly half have sensitive or privileged access. Most are unmanaged.
GitHub Actions Supply Chain Attack: 23,000 Repos Exposed
Attackers compromised the tj-actions/changed-files GitHub Action via a stolen PAT, exposing CI/CD secrets across 23,000 repositories.
U.S. Treasury Breached via Single Compromised API Key
A Chinese APT exploited a compromised BeyondTrust API key to access 3,000+ files across 100 Treasury Department computers, including OFAC and the Secretary's office.
Internet Archive Breached via Unrotated API Tokens
Attackers exploited an exposed GitLab token to access source code and a user database of 31M records, then used unrotated Zendesk tokens to access 800,000 support tickets.
CSA: Non-Human Identities Are the Largest Ungoverned Population
The Cloud Security Alliance's survey of practitioners across cloud and SaaS environments found that most organisations do not have an inventory of their non-human identities, let alone a lifecycle. The control gap maps directly to the breaches now occurring.
Sysdig 2024: 98% of Permissions on Cloud Identities Are Unused
Sysdig's analysis of customer cloud environments found that 98% of granted permissions on cloud identities are never used. Of those, the bulk sit on non-human identities — service accounts and workload identities with broad, static grants.
CSRB on Storm-0558: "A Cascade of Avoidable Errors"
The US Cyber Safety Review Board's review of the Storm-0558 incident concluded that the breach was preventable and pointed to systemic issues in Microsoft's signing-key custody, rotation, and identity-token validation.
Research
Research · Archive
Verizon DBIR: 22% of Breaches Start with Stolen Credentials
The largest empirical breach dataset confirms stolen credentials as the #1 initial access vector. 88% of web app attacks used stolen credentials.
Mandiant M-Trends 2025: Stolen Credentials Top Initial-Access Vector
Mandiant's annual M-Trends report tracks initial-access vectors observed in real engagements. Stolen credentials rose to the top vector in 2024 telemetry, ahead of exploits and phishing. Median dwell time for credential-based intrusions remains the longest of any vector.
41% of Logins Use Breached Passwords
Analysis of billions of authentication requests reveals 41% of successful human logins use passwords already in breach databases. Breaches are not break-ins. They are logins.
GitGuardian Secrets Sprawl 2025: 70% of 2022 Leaks Still Live
GitGuardian's 2025 report counted 23.8 million secrets leaked on public GitHub in 2024, up 25% year-over-year. 70% of secrets leaked in 2022 are still active. 100,000 valid secrets were found inside public Docker images — including AWS keys and GitHub tokens belonging to Fortune 500 companies.
79% of Attacks Are Now Malware-Free
CrowdStrike's 2025 Global Threat Report confirms the decisive shift from malware to identity-based attacks. Access broker ads surged 50% YoY.
Cisco Talos 2024: Identity Attacks Are 60% of IR Engagements
Cisco Talos' incident-response engagements through 2024 found identity-related attacks (credential abuse, account takeover, valid-account misuse) at 60% of total IR cases — a near-doubling of the share reported five years earlier.
Microsoft Digital Defense 2024: 600M Identity Attacks per Day
Microsoft Entra blocks roughly 600 million identity attacks per day. Over 99% are password-based. The volume of attacks per second has reached 7,000. MFA fatigue, SIM swapping, and adversary-in-the-middle phishing are the dominant bypass tactics for the MFA-enabled minority.
Analyst
Analyst · Archive
Gartner: 25% of Organisations Will Deploy a Secure Enterprise Browser by 2028
Gartner predicts that by 2028, 25% of organisations will augment existing secure remote access and endpoint security tools by deploying at least one secure enterprise browser to close specific gaps. The category is now formally tracked in Gartner research.
Gartner: Machine Identity Is a Top 6 Cybersecurity Trend
Gartner named machine identity management as a top cybersecurity trend. Survey found IAM teams manage only 44% of machine identities.
Forrester: Agentic AI Is Now a Top IAM Trend
Forrester's 2025 IAM trends report names the rise of agentic AI as a defining force. Autonomous agents sit between machine and human identities, with high volume, real autonomy, and real-world impact, and legacy IAM tooling cannot govern them effectively.
Forrester Wave: Identity Threat Detection and Response (ITDR)
Forrester has formalised Identity Threat Detection and Response as a discrete category and is evaluating named vendors against it. The framing matters because it pulls identity into the SOC workflow rather than leaving it inside the identity-engineering silo.
KuppingerCole: Identity Fabric as the Successor to the IAM Suite
KuppingerCole's Identity Fabric model has emerged as a leading analyst alternative to the monolithic IAM-suite framing. Identity Fabric is composed: best-of-breed components stitched into a coherent control plane, with the fabric itself being the artefact under design.
Gartner Hype Cycle: Identity-First Security Reaches the Plateau
Gartner's IAM Hype Cycle now places Identity-First Security as a mainstream practice. ITDR, identity-fabric, decentralised identity, agent identity, and posture management are the named emerging plays with the most direct relevance to architecture programmes.
Forrester: Enterprise Browser Market Now Has Real Tremors
Forrester analysts have moved from horizon-watching to category formation on enterprise browsers. The market is now consolidating, named vendors are competing on capability, and the analyst guidance is converging on identity-aware browser controls as a strategic decision, not a point tool.
Gartner: 30% of Enterprises Will Find Identity Verification Unreliable by 2026
Gartner predicts AI-generated deepfakes will undermine biometric and knowledge-based identity verification methods.
Gartner: Identity Fabric Immunity Will Prevent 85% of Attacks by 2027
Gartner predicts identity fabric immunity principles will prevent 85% of new attacks and reduce financial breach impact by 80% by 2027.
Talk to us about identity
Pattern-matching across these incidents is what we do for a living. Let's have a conversation.
Book a Conversation