by James Cavenaugh | May 13, 2026 | Identity & Access Security
In September 2022, Uber got breached. An 18-year-old attacker bought a contractor’s password on the dark web for a few dollars. The contractor had MFA enabled. Uber’s MFA required pushing “approve” on a mobile app. The attacker couldn’t...
by James Cavenaugh | May 6, 2026 | Identity & Access Security
In October 2023, 23andMe disclosed in an SEC filing that attackers had gained access to about 6.9 million customer accounts. The word “breach” got used a lot in the coverage. It’s not really the right word. 23andMe themselves pushed back on it. They...
by James Cavenaugh | May 4, 2026 | Identity & Access Security
In September 2023, MGM Resorts and Caesars Entertainment both got owned by the same threat group inside of ten days. Caesars paid a ransom that reporting later put at around $15 million. MGM refused to pay, took their systems offline, and disclosed to the SEC that the...
by James Cavenaugh | Apr 27, 2026 | Identity & Access Security
If your firm’s idea of multi-factor authentication is “we get a text message with a code,” you don’t really have MFA. You have something that feels like MFA, and that feeling is worth less than you think. NIST deprecated SMS as a second factor...
