Another good reason to enforce MFA

What would happen if someone got hold of one of your employees’ passwords from years ago?

Not a password they’re using today.

Not one they even remember.

Just an old one that never got changed.

Because that’s exactly how a recent, large-scale data-theft campaign worked.

A recent investigation by a cyber security firm uncovered a new hacking campaign. Sensitive business data from dozens of organisations around the world was quietly collected and later put up for sale on the dark web.

Different industries. Different countries. Different sizes of business.

But one thing kept coming up again and again.

Every affected organisation had allowed staff to log into important cloud systems using nothing more than a username and password. No second step. No extra check. Just type your password and you’re in.

This is where MFA comes in.

Multi-factor authentication simply means using more than one piece of evidence to prove it’s really you. Usually that’s your password plus something else, like a code on your phone, a notification you approve, or a fingerprint. 

So even if someone steals your password, they still can’t get in.

In these cases, MFA wasn’t enforced.

So how did the attackers get hold of the passwords in the first place?

They relied on something called infostealing malware. That’s a type of malicious software that can end up on a computer without the person using it realising. 

Once it’s there, it quietly collects saved passwords, login details, and other sensitive information, and sends it back to criminals.

This doesn’t only happen on office computers. It can happen on home devices, personal laptops, or any machine that’s ever been used to log into work systems.

When those details are stolen, they don’t always get used straight away. And this is the part that really matters.

Some of the passwords used in this campaign were years old.

That tells us two important things:

  • Passwords weren’t being changed often enough
  • Old logins were still being trusted long after they should have been invalidated

In other words, a device infected a long time ago could suddenly become a serious problem today.

This has been described as a “latency” issue. The threat sits quietly in the background, waiting. An old mistake doesn’t disappear just because time has passed.

The attackers would have been stopped if MFA had been switched on.

They had the passwords. But they didn’t have the second factor. No phone. No app. No approval tap. That one extra step would have turned a successful break-in into a dead end.

This is why security professionals (like me) keep saying the same thing, repeatedly: Passwords on their own are no longer enough.

I know one of the most common reactions to MFA is, “But it’s annoying”. And yes, it does add an extra moment to the login process. 

But compare that to what happens when a password nobody remembers is still valid years later. When confidential files can be copied, sold, or quietly taken without anyone noticing until it’s too late.

MFA turns a stolen password into a useless piece of information. And that’s why enforcing MFA isn’t overkill anymore, it’s sensible.

If there’s one lesson here, it’s a simple one: Old passwords don’t expire on their own. One extra lock on the door makes all the difference.

Need help getting set up? Get in touch.

Recent posts

Beware these “alerts” from Microsoft Azure

Beware these “alerts” from Microsoft Azure

There’s a new type of scam doing the rounds… and this one’s a little more convincing than most. It looks like a genuine alert from Microsoft Azure Monitor. 
It comes from a real Microsoft domain, and it lands in your inbox without being flagged as suspicious. That’s...

read more
Windows 11’s new focus on efficiency

Windows 11’s new focus on efficiency

For the past year or so, it’s felt like every Windows update came with three new AI features attached. Some of them are genuinely useful. Some feel like they’re there because they can be. So it’s interesting to see Microsoft take a slightly different tone with recent...

read more
Is data security your top priority?

Is data security your top priority?

There’s an interesting disconnect happening in the business world right now. Most IT leaders say data security is their number one concern when upgrading or modernizing systems.  In fact, nearly seven in ten rank it at the top of the list.  Yet only around a...

read more