10 Recent Breaches that Could Have been Prevented with Modern IGA
10 Recent Breaches that Could Have been Prevented with Modern IGA
The following ten breaches from 2023–2025 represent some of the most consequential cybersecurity incidents in recent history. Despite their scale and sophistication, each breach traces back to fundamental failures in identity governance and access management: stale credentials, over-provisioned accounts, missing MFA, orphaned service accounts, excessive third-party access, and absent access reviews.
Collectively, these incidents affected over 700 million individuals, cost organizations billions of dollars, and disrupted critical infrastructure from healthcare to financial services. The common thread is clear: modern Identity Governance and Administration (IGA) capabilities—like those provided by Opal Security—could have prevented or significantly mitigated each of these breaches.
Key Patterns Across Breaches
Stolen or Stale Credentials: 7 of 10 breaches involved credentials that were stolen, unrotated, or stored insecurely. In the Snowflake breaches, some credentials dated back to 2020 and had never been changed.
Missing Multi-Factor Authentication: 6 of 10 breaches exploited accounts or systems where MFA was not enforced. Change Healthcare’s CEO testified the entire breach was preventable with MFA.
Over-Privileged or Orphaned Accounts: 5 of 10 breaches involved accounts with excessive permissions or legacy accounts that should have been decommissioned, including Microsoft’s test tenant and Okta’s service account.
Third-Party / Vendor Access Failures: 5 of 10 breaches originated from or were amplified by insufficient controls on third-party vendor access, from outsourced help desks to business process outsourcers.
Social Engineering at the Help Desk: 3 of 10 breaches began with attackers impersonating employees to manipulate IT help desk personnel into resetting credentials or MFA.
Breach Details
1. Change Healthcare / UnitedHealth Group
Date | February 2024 |
Impact | 190 million Americans affected; $872M+ in damages; $22M ransom paid; nationwide healthcare disruption for weeks. |
Root Cause | Attackers used stolen credentials to access a Citrix remote access portal that lacked MFA. The portal was a legacy system acquired through M&A and never fully integrated into UnitedHealth’s security controls. Attackers moved laterally for 9 days before deploying ransomware. |
IGA Relevance | Missing MFA on a legacy remote access system, failure to enforce least-privilege access, poor credential lifecycle management, no access reviews on acquired infrastructure. |
Opal Prevention | Opal’s automated access reviews and continuous governance would flag legacy systems lacking MFA. Just-in-time access provisioning would prevent standing credentials on sensitive portals. Post-acquisition access discovery would surface unmanaged entry points. |
2. Snowflake Customer Breaches (AT&T, Ticketmaster, Santander, 160+ orgs)
Date | April–June 2024 |
Impact | ~165 organizations compromised; AT&T lost call metadata for 109M customers and paid $370K ransom; Ticketmaster lost 590M records; Santander lost 30M customer files. |
Root Cause | Threat group UNC5537 used credentials stolen via infostealer malware (some dating to 2020) to log into Snowflake customer instances. None of the breached accounts had MFA enabled. Credentials had never been rotated. |
IGA Relevance | Stale, unrotated credentials on a critical SaaS platform with no MFA enforcement. Over 80% of compromised accounts had prior credential exposure. No automated deprovisioning of unused accounts. |
Opal Prevention | Opal’s continuous access monitoring and credential lifecycle management would detect stale, high-risk accounts with missing MFA. Automated access reviews would revoke dormant Snowflake credentials. Policy-as-code enforcement could require MFA for all SaaS data platforms. |
3. Microsoft / Midnight Blizzard (APT29)
Date | November 2023 – January 2024 |
Impact | Russian state actor accessed senior leadership and cybersecurity team email accounts; source code and internal documents exfiltrated; ongoing unauthorized access persisted for months. |
Root Cause | Attackers password-sprayed a legacy, non-production test tenant account that lacked MFA. That account had access to a legacy OAuth application with elevated permissions to Microsoft’s corporate environment. Attackers created malicious OAuth apps and granted themselves full mailbox access. |
IGA Relevance | Orphaned test account with no MFA, over-privileged legacy OAuth application, no access review of non-production environments, failure to remove dormant accounts and excessive permissions. |
Opal Prevention | Opal’s automated access discovery would surface orphaned test accounts and over-privileged non-human identities. Time-bounded access policies would prevent standing elevated permissions on legacy apps. Continuous governance would flag OAuth apps with excessive scopes. |
4. MGM Resorts International
Date | September 2023 |
Impact | $100M+ financial loss; 10 days of operational outage across Las Vegas properties; customer PII including SSNs and passports exposed; ongoing lawsuits and regulatory investigations. |
Root Cause | Scattered Spider used LinkedIn reconnaissance to impersonate an MGM employee, then called the IT help desk to socially engineer a password reset and MFA re-enrollment. Once inside, attackers moved laterally through MGM’s Okta environment and deployed ALPHV ransomware. |
IGA Relevance | Help desk lacked identity verification beyond knowledge-based questions. Password reset process required only basic employee information (name, employee ID, DOB). Once credentials were reset, no secondary approval or anomaly detection triggered. |
Opal Prevention | Opal’s access request workflows with multi-party approval would prevent unverified help desk resets for privileged accounts. Identity-aware access policies could enforce step-up verification for sensitive resets. Automated anomaly detection on privilege escalation would flag suspicious activity. |
5. Caesars Entertainment
Date | August 2023 |
Impact | Customer loyalty database with SSNs and driver’s licenses exfiltrated; $15M ransom paid; 41,397+ confirmed victims in Maine alone. |
Root Cause | Scattered Spider launched a social engineering attack against Caesars’ outsourced IT support vendor. Attackers impersonated employees to trick help desk into providing login credentials, then used those credentials to access the loyalty database. |
IGA Relevance | Third-party vendor had excessive access to production customer data. No identity verification beyond knowledge-based authentication at the help desk. Lack of access segmentation between IT support vendor and sensitive customer databases. |
Opal Prevention | Opal’s third-party access governance would enforce least-privilege for outsourced vendors with time-bounded access. Access request workflows with approval chains would prevent social engineering at the help desk. Granular RBAC would segment support vendor access from customer PII. |
6. Okta Support System Breach
Date | September–October 2023 |
Impact | Initially reported as 134 customers affected; later revised to all customer support system users (18,000+). Session tokens stolen for 1Password, Cloudflare, and BeyondTrust. |
Root Cause | An Okta employee saved service account credentials to a personal Google account. Those credentials were compromised, giving attackers access to Okta’s customer support system. The service account had excessive permissions and bypassed MFA. Attackers stole HAR files containing session tokens. |
IGA Relevance | Service account with excessive privileges and no MFA. Credentials stored on a personal device. No separation between personal and corporate account access on work devices. 14-day detection gap. |
Opal Prevention | Opal’s non-human identity governance would enforce least-privilege and credential rotation for service accounts. Automated access reviews would flag service accounts bypassing MFA. Just-in-time access could replace standing service account credentials with ephemeral tokens. |
7. Coinbase Insider Breach
Date | December 2024 – May 2025 |
Impact | ~70,000 customer records exposed including government IDs and SSNs; $180–$400M estimated costs; $20M ransom demand (refused). |
Root Cause | Cybercriminals bribed overseas customer support contractors at TaskUS in India (up to $2,500 per person) to copy customer data using their legitimate support tool access. One contractor reportedly photographed up to 200 customer records per day. |
IGA Relevance | Third-party contractors had broad access to sensitive customer PII through support tools. No granular controls on what data support agents could view. Insufficient insider threat monitoring. Access scope was too wide for the job function. |
Opal Prevention | Opal’s fine-grained access controls would restrict support agents to only the data fields required for their specific tasks. Behavioral monitoring and access analytics would detect anomalous data access patterns (200 records/day). Third-party access governance would enforce strict, auditable access policies for outsourced teams. |
8. National Public Data (NPD)
Date | August 2024 (disclosed) |
Impact | 272+ million SSNs potentially compromised; company filed for bankruptcy; numerous class-action lawsuits. |
Root Cause | A publicly accessible file on an NPD sister site contained plaintext usernames and passwords, including admin credentials. No sophisticated hacking required—the data was essentially left unprotected online. |
IGA Relevance | Admin credentials stored in plaintext and publicly accessible. No access controls on sensitive credential stores. Complete failure of credential management and access governance. |
Opal Prevention | Opal’s secrets management and credential governance would prevent plaintext credential storage. Automated access audits would detect publicly exposed credential files. Continuous compliance monitoring would flag violations of basic access hygiene. |
9. U.S. Treasury Department (via BeyondTrust)
Date | December 2024 |
Impact | Chinese state-sponsored hackers accessed 3,000+ unclassified files including documents from the Secretary, Deputy Secretary, and CFIUS/OFAC offices. |
Root Cause | Attackers compromised a third-party vendor (BeyondTrust) and used a stolen API key for a cloud-based remote support service to access Treasury workstations. The vendor’s compromised access provided a pathway into highly sensitive government systems. |
IGA Relevance | Third-party vendor had broad access to sensitive government endpoints via API keys. Insufficient monitoring of vendor access patterns. No just-in-time access controls on third-party remote support. |
Opal Prevention | Opal’s third-party access governance with time-bounded, just-in-time provisioning would limit vendor access windows. API key lifecycle management would enforce rotation and scope limitations. Continuous monitoring would detect anomalous access patterns from vendor service accounts. |
10. Conduent Business Services
Date | October 2024 – January 2025 |
Impact | 25.9+ million individuals affected (including 15.4M Texas residents, 10.5M Oregon residents); 8+ TB of data stolen including SSNs and medical information. |
Root Cause | Ransomware attackers accessed Conduent’s systems for nearly three months. As a business process outsourcer serving government agencies and large enterprises, Conduent’s compromised access exposed downstream customer data across multiple organizations. |
IGA Relevance | Extended dwell time (nearly 3 months) suggests lack of access monitoring. Business process outsourcer had broad access to sensitive data across many client organizations. Insufficient network segmentation and access controls. |
Opal Prevention | Opal’s continuous access monitoring and anomaly detection would shorten dwell time. Least-privilege enforcement across BPO relationships would limit blast radius. Automated access reviews would ensure outsourcer access is scoped appropriately per client engagement. |
How Opal Addresses These Failures
Opal Security’s AI-native identity governance platform directly addresses the systemic access management failures behind every breach in this brief:
Just-in-Time Access: Eliminates standing credentials and persistent access. Users and service accounts receive time-bounded, purpose-specific access that automatically expires—preventing the kind of stale credentials that enabled the Snowflake and Change Healthcare breaches.
Automated Access Reviews: Continuously evaluates who has access to what and flags anomalies. Would have caught Microsoft’s orphaned test tenant, Okta’s over-privileged service account, and NPD’s exposed credential files.
Policy-as-Code (OpalScript): Codifies access policies that enforce MFA requirements, least-privilege principles, and credential rotation—ensuring consistent governance even across legacy systems and M&A integrations.
Third-Party Access Governance: Provides granular, auditable controls for vendor and contractor access with time-bounded provisioning and behavioral monitoring—directly addressing the Coinbase insider, Caesars vendor, and Treasury BeyondTrust attack vectors.
Non-Human Identity Management: Discovers and governs service accounts, API keys, and OAuth applications—the exact blind spots exploited in the Microsoft Midnight Blizzard and Okta breaches.
AI-Powered OpalQuery: Enables security teams to ask natural-language questions about their access landscape, surfacing risks like “which service accounts have admin access but haven’t been reviewed in 90 days?” before attackers exploit them.
Conclusion
Every breach in this document was preventable with capabilities that exist today. The question is no longer whether organizations need modern identity governance—it’s whether they can afford to wait. Opal Security provides the AI-native IGA platform that closes the access governance gaps responsible for the most damaging breaches of our time. If you aim to prevent access and identity breaches in your business, schedule a demo today.
Heading to RSA this month? Stop by our Open House for a live demo of what’s next in identity security.
The following ten breaches from 2023–2025 represent some of the most consequential cybersecurity incidents in recent history. Despite their scale and sophistication, each breach traces back to fundamental failures in identity governance and access management: stale credentials, over-provisioned accounts, missing MFA, orphaned service accounts, excessive third-party access, and absent access reviews.
Collectively, these incidents affected over 700 million individuals, cost organizations billions of dollars, and disrupted critical infrastructure from healthcare to financial services. The common thread is clear: modern Identity Governance and Administration (IGA) capabilities—like those provided by Opal Security—could have prevented or significantly mitigated each of these breaches.
Key Patterns Across Breaches
Stolen or Stale Credentials: 7 of 10 breaches involved credentials that were stolen, unrotated, or stored insecurely. In the Snowflake breaches, some credentials dated back to 2020 and had never been changed.
Missing Multi-Factor Authentication: 6 of 10 breaches exploited accounts or systems where MFA was not enforced. Change Healthcare’s CEO testified the entire breach was preventable with MFA.
Over-Privileged or Orphaned Accounts: 5 of 10 breaches involved accounts with excessive permissions or legacy accounts that should have been decommissioned, including Microsoft’s test tenant and Okta’s service account.
Third-Party / Vendor Access Failures: 5 of 10 breaches originated from or were amplified by insufficient controls on third-party vendor access, from outsourced help desks to business process outsourcers.
Social Engineering at the Help Desk: 3 of 10 breaches began with attackers impersonating employees to manipulate IT help desk personnel into resetting credentials or MFA.
Breach Details
1. Change Healthcare / UnitedHealth Group
Date | February 2024 |
Impact | 190 million Americans affected; $872M+ in damages; $22M ransom paid; nationwide healthcare disruption for weeks. |
Root Cause | Attackers used stolen credentials to access a Citrix remote access portal that lacked MFA. The portal was a legacy system acquired through M&A and never fully integrated into UnitedHealth’s security controls. Attackers moved laterally for 9 days before deploying ransomware. |
IGA Relevance | Missing MFA on a legacy remote access system, failure to enforce least-privilege access, poor credential lifecycle management, no access reviews on acquired infrastructure. |
Opal Prevention | Opal’s automated access reviews and continuous governance would flag legacy systems lacking MFA. Just-in-time access provisioning would prevent standing credentials on sensitive portals. Post-acquisition access discovery would surface unmanaged entry points. |
2. Snowflake Customer Breaches (AT&T, Ticketmaster, Santander, 160+ orgs)
Date | April–June 2024 |
Impact | ~165 organizations compromised; AT&T lost call metadata for 109M customers and paid $370K ransom; Ticketmaster lost 590M records; Santander lost 30M customer files. |
Root Cause | Threat group UNC5537 used credentials stolen via infostealer malware (some dating to 2020) to log into Snowflake customer instances. None of the breached accounts had MFA enabled. Credentials had never been rotated. |
IGA Relevance | Stale, unrotated credentials on a critical SaaS platform with no MFA enforcement. Over 80% of compromised accounts had prior credential exposure. No automated deprovisioning of unused accounts. |
Opal Prevention | Opal’s continuous access monitoring and credential lifecycle management would detect stale, high-risk accounts with missing MFA. Automated access reviews would revoke dormant Snowflake credentials. Policy-as-code enforcement could require MFA for all SaaS data platforms. |
3. Microsoft / Midnight Blizzard (APT29)
Date | November 2023 – January 2024 |
Impact | Russian state actor accessed senior leadership and cybersecurity team email accounts; source code and internal documents exfiltrated; ongoing unauthorized access persisted for months. |
Root Cause | Attackers password-sprayed a legacy, non-production test tenant account that lacked MFA. That account had access to a legacy OAuth application with elevated permissions to Microsoft’s corporate environment. Attackers created malicious OAuth apps and granted themselves full mailbox access. |
IGA Relevance | Orphaned test account with no MFA, over-privileged legacy OAuth application, no access review of non-production environments, failure to remove dormant accounts and excessive permissions. |
Opal Prevention | Opal’s automated access discovery would surface orphaned test accounts and over-privileged non-human identities. Time-bounded access policies would prevent standing elevated permissions on legacy apps. Continuous governance would flag OAuth apps with excessive scopes. |
4. MGM Resorts International
Date | September 2023 |
Impact | $100M+ financial loss; 10 days of operational outage across Las Vegas properties; customer PII including SSNs and passports exposed; ongoing lawsuits and regulatory investigations. |
Root Cause | Scattered Spider used LinkedIn reconnaissance to impersonate an MGM employee, then called the IT help desk to socially engineer a password reset and MFA re-enrollment. Once inside, attackers moved laterally through MGM’s Okta environment and deployed ALPHV ransomware. |
IGA Relevance | Help desk lacked identity verification beyond knowledge-based questions. Password reset process required only basic employee information (name, employee ID, DOB). Once credentials were reset, no secondary approval or anomaly detection triggered. |
Opal Prevention | Opal’s access request workflows with multi-party approval would prevent unverified help desk resets for privileged accounts. Identity-aware access policies could enforce step-up verification for sensitive resets. Automated anomaly detection on privilege escalation would flag suspicious activity. |
5. Caesars Entertainment
Date | August 2023 |
Impact | Customer loyalty database with SSNs and driver’s licenses exfiltrated; $15M ransom paid; 41,397+ confirmed victims in Maine alone. |
Root Cause | Scattered Spider launched a social engineering attack against Caesars’ outsourced IT support vendor. Attackers impersonated employees to trick help desk into providing login credentials, then used those credentials to access the loyalty database. |
IGA Relevance | Third-party vendor had excessive access to production customer data. No identity verification beyond knowledge-based authentication at the help desk. Lack of access segmentation between IT support vendor and sensitive customer databases. |
Opal Prevention | Opal’s third-party access governance would enforce least-privilege for outsourced vendors with time-bounded access. Access request workflows with approval chains would prevent social engineering at the help desk. Granular RBAC would segment support vendor access from customer PII. |
6. Okta Support System Breach
Date | September–October 2023 |
Impact | Initially reported as 134 customers affected; later revised to all customer support system users (18,000+). Session tokens stolen for 1Password, Cloudflare, and BeyondTrust. |
Root Cause | An Okta employee saved service account credentials to a personal Google account. Those credentials were compromised, giving attackers access to Okta’s customer support system. The service account had excessive permissions and bypassed MFA. Attackers stole HAR files containing session tokens. |
IGA Relevance | Service account with excessive privileges and no MFA. Credentials stored on a personal device. No separation between personal and corporate account access on work devices. 14-day detection gap. |
Opal Prevention | Opal’s non-human identity governance would enforce least-privilege and credential rotation for service accounts. Automated access reviews would flag service accounts bypassing MFA. Just-in-time access could replace standing service account credentials with ephemeral tokens. |
7. Coinbase Insider Breach
Date | December 2024 – May 2025 |
Impact | ~70,000 customer records exposed including government IDs and SSNs; $180–$400M estimated costs; $20M ransom demand (refused). |
Root Cause | Cybercriminals bribed overseas customer support contractors at TaskUS in India (up to $2,500 per person) to copy customer data using their legitimate support tool access. One contractor reportedly photographed up to 200 customer records per day. |
IGA Relevance | Third-party contractors had broad access to sensitive customer PII through support tools. No granular controls on what data support agents could view. Insufficient insider threat monitoring. Access scope was too wide for the job function. |
Opal Prevention | Opal’s fine-grained access controls would restrict support agents to only the data fields required for their specific tasks. Behavioral monitoring and access analytics would detect anomalous data access patterns (200 records/day). Third-party access governance would enforce strict, auditable access policies for outsourced teams. |
8. National Public Data (NPD)
Date | August 2024 (disclosed) |
Impact | 272+ million SSNs potentially compromised; company filed for bankruptcy; numerous class-action lawsuits. |
Root Cause | A publicly accessible file on an NPD sister site contained plaintext usernames and passwords, including admin credentials. No sophisticated hacking required—the data was essentially left unprotected online. |
IGA Relevance | Admin credentials stored in plaintext and publicly accessible. No access controls on sensitive credential stores. Complete failure of credential management and access governance. |
Opal Prevention | Opal’s secrets management and credential governance would prevent plaintext credential storage. Automated access audits would detect publicly exposed credential files. Continuous compliance monitoring would flag violations of basic access hygiene. |
9. U.S. Treasury Department (via BeyondTrust)
Date | December 2024 |
Impact | Chinese state-sponsored hackers accessed 3,000+ unclassified files including documents from the Secretary, Deputy Secretary, and CFIUS/OFAC offices. |
Root Cause | Attackers compromised a third-party vendor (BeyondTrust) and used a stolen API key for a cloud-based remote support service to access Treasury workstations. The vendor’s compromised access provided a pathway into highly sensitive government systems. |
IGA Relevance | Third-party vendor had broad access to sensitive government endpoints via API keys. Insufficient monitoring of vendor access patterns. No just-in-time access controls on third-party remote support. |
Opal Prevention | Opal’s third-party access governance with time-bounded, just-in-time provisioning would limit vendor access windows. API key lifecycle management would enforce rotation and scope limitations. Continuous monitoring would detect anomalous access patterns from vendor service accounts. |
10. Conduent Business Services
Date | October 2024 – January 2025 |
Impact | 25.9+ million individuals affected (including 15.4M Texas residents, 10.5M Oregon residents); 8+ TB of data stolen including SSNs and medical information. |
Root Cause | Ransomware attackers accessed Conduent’s systems for nearly three months. As a business process outsourcer serving government agencies and large enterprises, Conduent’s compromised access exposed downstream customer data across multiple organizations. |
IGA Relevance | Extended dwell time (nearly 3 months) suggests lack of access monitoring. Business process outsourcer had broad access to sensitive data across many client organizations. Insufficient network segmentation and access controls. |
Opal Prevention | Opal’s continuous access monitoring and anomaly detection would shorten dwell time. Least-privilege enforcement across BPO relationships would limit blast radius. Automated access reviews would ensure outsourcer access is scoped appropriately per client engagement. |
How Opal Addresses These Failures
Opal Security’s AI-native identity governance platform directly addresses the systemic access management failures behind every breach in this brief:
Just-in-Time Access: Eliminates standing credentials and persistent access. Users and service accounts receive time-bounded, purpose-specific access that automatically expires—preventing the kind of stale credentials that enabled the Snowflake and Change Healthcare breaches.
Automated Access Reviews: Continuously evaluates who has access to what and flags anomalies. Would have caught Microsoft’s orphaned test tenant, Okta’s over-privileged service account, and NPD’s exposed credential files.
Policy-as-Code (OpalScript): Codifies access policies that enforce MFA requirements, least-privilege principles, and credential rotation—ensuring consistent governance even across legacy systems and M&A integrations.
Third-Party Access Governance: Provides granular, auditable controls for vendor and contractor access with time-bounded provisioning and behavioral monitoring—directly addressing the Coinbase insider, Caesars vendor, and Treasury BeyondTrust attack vectors.
Non-Human Identity Management: Discovers and governs service accounts, API keys, and OAuth applications—the exact blind spots exploited in the Microsoft Midnight Blizzard and Okta breaches.
AI-Powered OpalQuery: Enables security teams to ask natural-language questions about their access landscape, surfacing risks like “which service accounts have admin access but haven’t been reviewed in 90 days?” before attackers exploit them.
Conclusion
Every breach in this document was preventable with capabilities that exist today. The question is no longer whether organizations need modern identity governance—it’s whether they can afford to wait. Opal Security provides the AI-native IGA platform that closes the access governance gaps responsible for the most damaging breaches of our time. If you aim to prevent access and identity breaches in your business, schedule a demo today.
Heading to RSA this month? Stop by our Open House for a live demo of what’s next in identity security.
