Insights
9 min read

What we can learn from real-world authentication failures

Maya Kaczorowski headshot

Maya Kaczorowski

CEO / Founder

This blog post is a written version of a talk that our cofounder Maya gave at BSidesSeattle in April. You can also watch the recording and get the slides.

Authentication is one of the most critical identity controls we have. In some sense, it's both the first and last line of defense. If authentication fails, it means that attackers can bypass all other controls. And since identity is tied to all other systems, the compromise of even a single account could have a wide-reaching impact.

Although there are so many ways that authentication could go wrong — credential compromise, MFA and recovery weaknesses, session management failures, and poorly implemented protocols — there’s not necessarily that much variance in reality. In this post, we'll look at real-world authentication failures from the last five years. Studying these incidents is how our industry learns and improves, as long as we actually apply those lessons.

Credential compromise

Credential compromise is the most common type of authentication failure, whether that be password theft, credential stuffing, or a brute force attack. This could also occur via the compromise of an identity provider or password manager.

We know how to prevent most credential compromises: by using multi-factor authentication. Yet, these incidents remain shockingly common and impactful in reality. The real failure isn't "credential compromise," it's "no MFA” (let's call it what it is).

LAPSUS$ gains access to Okta’s support system

In January 2022, LAPSUS$ compromised an Okta third-party support engineer's laptop, using it to then access the customer support system. The breach only came to light months later when screenshots of Okta's own Okta instance with superuser access were posted on Twitter.

In all, the attacker had access to the individual’s laptop for 5 days, giving them access to 366 customers' Okta tenants, though seemingly no further damage was done.

Many of the authentication vulnerabilities we've seen in the past few years can be attributed to LAPSUS$ — and they definitely have their preferred playbook.

Another compromise of Okta’s support system

In 2023, an attacker again gained unauthorized access to Okta's customer support system, affecting 134 of their customers. The breach occurred when an employee saved their work credentials to their personal Chrome password manager, which was later compromised.

The attacker found that some support chats, logs, and files had valid session tokens, which they were able to use to compromise five of Okta’s customers, including Cloudflare, BeyondTrust, and 1Password.

Credential stuffing Snowflake customers

In early 2024, members of online crime-focused chat group The Com targeted Snowflake. Many of Snowflake’s accounts were only protected with a username and password (no second factor). UNC5537 purchased customers' credentials on the dark web and systematically took over these accounts.

Up to 165 Snowflake customers were compromised, with attackers stealing phone and text message records for 110 million AT&T customers and leaking 160 thousand Taylor Swift Eras tour barcodes from Ticketmaster. The attackers also extorted dozens of companies in exchange for not releasing their data, netting about $2 million in ransom payments.

In response, Snowflake made MFA generally available, requiring it for new accounts — and increased the minimum password length from eight to fourteen characters.

These credential compromises demonstrate that basic authentication still fails spectacularly. But what happens when organizations do implement MFA — and attackers find a way around it?

MFA and recovery weaknesses

When basic credential theft fails, attackers pivot to target the second factor directly. MFA and recovery weaknesses include MFA fatigue, implementation issues in recovery flows, and SIM swapping.

Social engineering to get access to Twitter's support tool

Twitter’s support team used an internal admin tool for common support workflows, such as suspending accounts or changing their recovery emails. Knowing that as many as 1500 Twitter employees had access to such a powerful tool, attackers scraped LinkedIn for Twitter employee profiles, then called them impersonating the IT department. The attackers directed their targets to a fake VPN login page and phished their 2FA code, gaining access to Twitter’s internal network, including the admin tool.

In this way, the attackers were able to gain access to about 130 prominent accounts, tweeting scam bitcoin messages from 45 of those accounts. This netted them around $120k in bitcoin payments before the messages were taken down.

MFA fatigue at Uber

To get into Uber, LAPSUS$ obtained VPN credentials for a contractor, then continuously bombarded that user with MFA prompts while simultaneously contacting them on WhatsApp posing as ‘tech support’. Eventually, the user approved a prompt, allowing the attack to log in. Once on Uber's VPN, the attacker had access to the contractors’s accounts on Google Workspace and Slack.

This was the same technique LAPSUS$ used against Microsoft, Nvidia, and Okta. MFA fatigue works because it only takes one approval — whether from exhaustion, confusion, or a simple misclick — to let attackers in.

Session management failures

Even with second factors in place, attackers adapt. Some have moved to bypassing authentication entirely, by stealing active sessions — through session hijacking, cookie theft, OAuth token theft, XSS, or CSRF. Once a legitimate user has authenticated and proven their identity, the attacker simply takes over that established session.

GitHub OAuth token theft

GitHub issues OAuth tokens for connecting with other systems like CI/CD pipelines. In April 2022, GitHub discovered attackers using stolen Heroku and Travis-CI OAuth tokens to access organizations’ data. Each token allowed the attackers to access the GitHub API as that user, enumerate their organizations and private repositories, then selectively clone repositories they were interested in.

The attackers then searched private repos for secrets. They found npm's AWS infrastructure API key, and proceeded to download all private npm package manifests and metadata, 100k npm users' hashed passwords, and private packages from two organizations.

OAuth tokens — which often provide broad, persistent access — have become increasingly attractive targets because organizations rarely review which apps employees have authorized or what scopes those apps have been granted.

Stealing CircleCI sessions and customer tokens

In January 2023, CircleCI was alerted to an issue when one of their customers noticed suspicious activity for a GitHub OAuth token that was stored in CircleCI. They discovered an attacker had compromised an engineer's laptop with malware, stealing an active 2FA-backed SSO session. The engineer had production access, which the attacker used to steal customer environment variables, tokens, and keys.

CircleCI issued a notice for its customers to rotate secrets they had stored in CircleCI, and then went a step further, coordinating with other infrastructure providers to invalidate and rotate OAuth tokens for GitHub, Bitbucket, and GitLab.

Authentication protocol failures

The last kind of authentication failures we’ll consider are authentication protocol weaknesses. These are rarely weaknesses in protocols, and more often stem from poor implementations, such as OIDC misconfigurations or missing JWT validation.

ProxyShell vulnerabilities in Microsoft Exchange

At Pwn2Own Vancouver 2021, researchers discovered vulnerabilities in Microsoft Exchange. By exploiting an "Explicit Login" feature used for direct access to a user's inbox, attackers could manipulate Exchange's URL normalization and gain unauthenticated access to Exchange Server internals. Chained with two other CVEs — collectively called ProxyShell — this enabled remote code execution on multiple Exchange Server versions, affecting tens of thousands of servers globally.

Microsoft quickly released patches, but about a year later, suspiciously similar attacks were detected. It turns out that the patches were insufficient: Exchange remained vulnerable to server-side request forgery, with two more CVEs — dubbed ProxyNotShell — allowing authenticated attackers to bypass two-factor authentication to again achieve RCE.

Lessons learned

So, what can we learn and apply from these real-world failures?

Implementing authentication

If you’re implementing authentication:

  • Check for common implementation mistakes. These can happen to anyone. Not even sophisticated organizations — like Microsoft, with critical authentication products like Active Directory, or Okta, an identity company — are immune.
  • Use the right algorithms. Double check anything that is particularly sensitive, or touches cryptography, like hashing or input normalization.
  • Implement session timeouts. Limit the impact of session hijacking by restricting how long a token or credential is valid for.
  • Prevent brute force attacks. Implement rate limits and log authentication attempts to avoid password spray or mass credential stuffing attacks.
  • Provide users with more than just basic auth. Implement SSO, MFA, and strong controls for admin or other sensitive actions.

Using authentication

So many of the issues we’ve seen in the last few years have very much followed a playbook — often LAPSUS$’s playbook. If there’s only one thing beyond the basics that you should really be doing, it’s rolling out strong phishing-resistant MFA, like hardware tokens or passkeys.

The basics still matter most:

  • Implement MFA. You should really do this!
  • Require the use of strong MFA. Use hardware or WebAuthn-based MFA.
  • Educate your users. Warn employees about attacks like MFA fatigue, and make sure they know how to report suspicious activity.
  • Set up monitoring. Alert on suspicious authentication events like MFA failures, password resets, and MFA enrollment for new devices.

Beyond MFA, you should also:

  • Review OAuth tokens in your environment. Check which integrations are authorized, what scopes they have, and when tokens were last rotated. Treat this as an ongoing process, not a one-time audit.
  • Prevent employees from using personal password managers. Provide them with a corporate password manager.
  • Pay attention to contractor access. Secure how non-employees, including those in support, access critical systems. This includes endpoint protection or browser controls to detect keylogging or infostealing malware.

Finally, assume compromise will happen and prepare accordingly. Design for defense in depth, implement logging and monitoring, and when a breach does occur, move quickly. Lastly, please share what you can — that's how the industry learns and improves.

Authentication failures continue to be a primary vector for major security incidents. Our best defense is learning from the past and preparing for what seems inevitable.

Signup image

Ready to simplify access management?

Experience the joy of fewer IT tickets

We'd love to help you get to more maintainable access controls