What would happen if someone got hold of one of your employees' passwords from years ago?
Not a password they're using now.
Not one they even remember.
Just an old one that was never changed.
Because that's exactly how a recent large-scale data theft campaign worked.
A recent investigation by a cybersecurity firm uncovered a new hacking operation. Sensitive business data from dozens of organizations around the world was quietly collected and later offered for sale on the dark web.
Different industries. Different countries. Different business sizes.
But one thing kept appearing again and again.
Every affected organization had allowed staff to sign in to important cloud systems using nothing more than a username and password. No second step. No extra verification. Just enter your password and you're in.
This is where MFA comes in.
Multi-factor authentication means using more than one form of proof to confirm it's really you. Usually that's your password plus something else, like a code sent to your phone, an approval notification, or a fingerprint.
So even if someone steals your password, they still can't access the account.
In these cases, MFA wasn't enforced.
So how did the attackers get the passwords in the first place?
They relied on something called infostealing malware. That's a type of malicious software that can end up on a device without the user realizing it.
Once it's there, it quietly gathers saved passwords, login details, and other sensitive information, then sends it back to criminals.
This doesn't only happen on office computers. It can happen on home devices, personal laptops, or any machine that has ever been used to access work systems.
When those details are stolen, they're not always used right away. And this is the part that really matters.
Some of the passwords used in this campaign were years old.
That tells us two important things:
- Passwords weren't being changed often enough
- Old logins were still being trusted long after they should have been invalidated
In other words, a device infected a long time ago could suddenly become a serious problem today.
This has been described as a "latency" issue. The threat sits quietly in the background, waiting. An old mistake doesn't disappear just because time has passed.
The attackers would have been stopped if MFA had been enabled.
They had the passwords. But they didn't have the second factor. No phone. No app. No approval tap. That one extra step would have turned a successful break-in into a dead end.
This is why security professionals like me keep repeating the same message: Passwords on their own are no longer enough.
I know one of the most common reactions to MFA is, "But it's annoying." And yes, it does add an extra moment to the sign-in process.
But compare that to what happens when a password nobody remembers is still valid years later. When confidential files can be copied, sold, or quietly taken without anyone noticing until it's too late.
MFA turns a stolen password into a useless piece of information. And that's why enforcing MFA isn't overkill anymore — it's sensible.
If there's one lesson here, it's a simple one: Old passwords don't expire by themselves. One extra lock on the door makes all the difference.
Need help getting set up? Get in touch.
Click Here or give us a call at 714-369-8197 to Book a FREE 15-Minute Discovery Call
