What would happen if someone got hold of one of your employees’ passwords from years ago?

Not a password they’re using today.

Not one they even remember.

Just an old one that never got changed.

Because that’s exactly how a recent, large-scale data-theft campaign worked.

A recent investigation by a cyber security firm uncovered a new hacking campaign. Sensitive business data from dozens of organisations around the world was quietly collected and later put up for sale on the dark web.

Different industries. Different countries. Different sizes of business.

But one thing kept coming up again and again.

Every affected organisation had allowed staff to log into important cloud systems using nothing more than a username and password. No second step. No extra check. Just type your password and you’re in.

This is where MFA comes in.

Multi-factor authentication simply means using more than one piece of evidence to prove it’s really you. Usually that’s your password plus something else, like a code on your phone, a notification you approve, or a fingerprint. 

So even if someone steals your password, they still can’t get in.

In these cases, MFA wasn’t enforced.

So how did the attackers get hold of the passwords in the first place?

They relied on something called infostealing malware. That’s a type of malicious software that can end up on a computer without the person using it realising. 

Once it’s there, it quietly collects saved passwords, login details, and other sensitive information, and sends it back to criminals.

This doesn’t only happen on office computers. It can happen on home devices, personal laptops, or any machine that’s ever been used to log into work systems.

When those details are stolen, they don’t always get used straight away. And this is the part that really matters.

Some of the passwords used in this campaign were years old.

That tells us two important things:

• Passwords weren’t being changed often enough
• Old logins were still being trusted long after they should have been invalidated

In other words, a device infected a long time ago could suddenly become a serious problem today.

This has been described as a “latency” issue. The threat sits quietly in the background, waiting. An old mistake doesn’t disappear just because time has passed.

The attackers would have been stopped if MFA had been switched on.

They had the passwords. But they didn’t have the second factor. No phone. No app. No approval tap. That one extra step would have turned a successful break-in into a dead end.

This is why security professionals (like me) keep saying the same thing, repeatedly: Passwords on their own are no longer enough.

I know one of the most common reactions to MFA is, “But it’s annoying”. And yes, it does add an extra moment to the login process. 

But compare that to what happens when a password nobody remembers is still valid years later. When confidential files can be copied, sold, or quietly taken without anyone noticing until it’s too late.

MFA turns a stolen password into a useless piece of information. And that’s why enforcing MFA isn’t overkill anymore, it’s sensible.

If there’s one lesson here, it’s a simple one: Old passwords don’t expire on their own. One extra lock on the door makes all the difference.

Need help getting set up? Get in touch.