When
most
people
think
of
hacking,
they
probably
think
of
some
Matrix-like
montage
of
all-black
suits,
otherworldy
tech
savvy,
and
an
obligatory
“I’m
in”
once
everything
goes
as
planned:
Lo
and
behold:
movies
and
YouTube
shorts
may
not
be
the
most
accurate
reflections
of
reality.
Turns
out
that
all
some
multi-million
dollar
hacking
schemes
require
is
to
just
ask
for
the
victim’s
password.
NBC
News
has
coverage:
Bleach
maker
Clorox
said
Tuesday
that
it
has
sued
information
technology
provider
Cognizant
over
a
devastating
2023
cyberattack,
alleging
that
[Scattered
Spider,
a
hacking
group]
pulled
off
the
intrusion
simply
by
asking
the
tech
company’s
staff
for
employees’
passwords.
…
“Cognizant
was
not
duped
by
any
elaborate
ploy
or
sophisticated
hacking
techniques,”
according
to
a
copy
of
the
lawsuit
reviewed
by
Reuters.
“The
cybercriminal
just
called
the
Cognizant
Service
Desk,
asked
for
credentials
to
access
Clorox’s
network,
and
Cognizant
handed
the
credentials
right
over.”
There’s
something
poetic
about
the
idea
that
a
tech
company
named
Cognizant
would
not
be
aware
of
an
imminent
“hacking.”
Cognizant’s
alleged
lack
of
awareness
ultimately
cost
around
$380M
in
damages.
Everyone
can
admit
that
two-factor
authentication
is
annoying,
but
come
on
people
—
you
should
at
least
have
1
factor!
The
Record
was
able
to
get
Cognizant’s
take
on
the
repeated
security
breaches.
Cognizant’s
spokesperson
placed
the
blame
on
Clorox,
saying
that
it
was
“shocking
that
a
corporation
the
size
of
Clorox
had
such
an
inept
internal
cybersecurity
system
to
mitigate
this
attack.”
Who
is
actually
responsible
will
be
for
courts
to
figure
out,
but
the
story
as
it
stands
makes
it
look
like
everyone
but
Scattered
Spider
fell
asleep
at
the
wheel.
Clorox’s
“No,
you”
account
of
what
happened
is
pretty
damning:
“The
Agent
further
reset
Employee
1’s
MFA
credentials
multiple
times
without
any
identity
verification
at
all.
And
at
no
point
did
the
Agent
send
the
required
emails
to
the
employee
or
the
employee’s
manager
to
alert
them
of
the
password
reset.”
Clorox
reportedly
gave
Cognizant
instructions
to
verify
a
caller’s
identity
before
giving
away
passwords
—
something
the
suit
claims
Cognizant
employees
failed
to
do
at
least
three
times.
Keep
your
eyes
peeled,
the
FBI
has
recently
announced
that
Scattered
Spider
has
pivoted
attention
toward
airlines.
Considering
Boeing
already
has
trouble
securing
their
airplane
doors,
I
wouldn’t
be
too
surprised
if
someone
finds
security
issues
with
their
tech.
Lawsuit
Says
Clorox
Hackers
Got
Passwords
Simply
By
Asking
[NBC
News]
Clorox
Lawsuit
Says
Help-Desk
Contractors
Handed
Over
Passwords
In
2023
Cyberattack
[The
Record]
Chris
Williams
became
a
social
media
manager
and
assistant
editor
for
Above
the
Law
in
June
2021.
Prior
to
joining
the
staff,
he
moonlighted
as
a
minor
Memelord™
in
the
Facebook
group Law
School
Memes
for
Edgy
T14s
.
He
endured
Missouri
long
enough
to
graduate
from
Washington
University
in
St.
Louis
School
of
Law.
He
is
a
former
boatbuilder
who
is
learning
to
swim, is
interested
in
critical
race
theory,
philosophy,
and
humor,
and
has
a
love
for
cycling
that
occasionally
annoys
his
peers.
You
can
reach
him
by
email
at [email protected]
and
by
tweet
at @WritesForRent.