Can I Have a New Password, Please? The $400M Question
In August 2023, a series of events led to one of the largest cybersecurity breaches in recent history, with Clorox suffering estimated damages of around $380 million. The attack, attributed to the Scattered Spider group, was carried out through a seemingly innocuous phone call to Cognizant's service desk, which resulted in repeated password and MFA resets for compromised employees.
A Simple Phone Call, A Compromised Identity
The attackers used social engineering tactics, carrying out reconnaissance on the company's internal ticket references, names, titles, and recent hires. They then made a calm, scripted phone call that mimicked legitimate user behavior, convincing frontline agents to reset credentials and MFA without proper authentication.
The result was a single compromised identity becoming a pivot for lateral movement and major disruption. According to court filings, this attack highlights the vulnerability of third-party service desks, which often sit behind high-privilege bridges into multiple customers' environments.
Operational Paralysis and Data Loss
The impact of the attack was severe, with production systems taken offline, manufacturing paused, manual order processing halted, and shipment delays that depressed sales volumes. These supply-chain and fulfillment impacts, as well as forensic and remediation costs, made up most of the loss figure cited in the lawsuit.
It serves as a reminder that a simple unauthorized password reset can have far-reaching consequences. The incident has been flagged by CISA and other agencies, warning against similar groups targeting contracted help desks due to their vulnerability.
Defending Against the Scattered Spider Group
Advice from defense experts warns that threat actors will impersonate users and exploit weak verification to bypass MFA and reset credentials. Robust caller verification is not just good practice but a core supply-chain control.
The three structural reasons for this vulnerability are:
- Treat help-desk resets as privileged operations
- Instrument them accordingly with the following five actionable steps:
- Operational governance: contract language and audits
- Include measurable SLAs for MTTD/MTTR on suspected account compromises and require simulated social-engineering tests with remediation results published to you.
- Technology helps, but people will still get social-engineered. Run regular red-team phone-based simulations against your help desk (and your vendors), measure failures, and bake corrective training into operations.
- Track and reduce time from reset to containment — that metric will move the needle more than expensive, one-off hardening projects.
A Solution: Specops Secure Service Desk
The article recommends using Specops Secure Service Desk, which offers deterministic verification and automated containment. This solution allows you to see how enforced caller verification, immutable audit trails, and ticket integration in a production environment can help reduce the attacker's window to act.
Try it today and discover how it can shrink your security posture by implementing robust caller verification, improving incident response, and reducing the risk of supply-chain breaches.
Sponsored by Specops Software
This article is sponsored and written by Specops Software.