What would happen if someone gained access to one of your employees’ old passwords?
Not a password they use today.
Not one they even remember.
Just a password that was never changed.
That scenario is exactly how a recent large-scale data theft campaign succeeded.
A cybersecurity firm recently investigated a widespread attack in which sensitive business data from dozens of organizations around the world was quietly collected and later sold on the dark web. The affected companies spanned multiple industries, countries, and business sizes.
Despite those differences, one pattern appeared consistently.
Every impacted organization allowed access to critical cloud systems using only a username and password. There was no second step, no additional verification, and no extra barrier once credentials were entered.
This is where multi-factor authentication becomes critical.
Multi-factor authentication requires more than one form of verification to confirm a user’s identity. Typically, this means a password combined with something else, such as a one-time code, an approval prompt on a phone, or a biometric factor.
Even if a password is stolen, access is blocked without that second factor.
In this campaign, multi-factor authentication was not enforced.
So how did attackers obtain the passwords?
They relied on infostealing malware. This type of malicious software can be installed on a device without the user realizing it. Once present, it quietly collects saved passwords, login details, and other sensitive information and transmits it to attackers.
This does not only happen on office computers. It can occur on home systems, personal laptops, or any device that has ever been used to access work accounts.
What makes this especially concerning is timing.
The stolen credentials were not always used immediately. Some of the passwords involved in this campaign were years old.
That reveals two important issues. Passwords were not being changed frequently enough, and old credentials were still being accepted long after they should have been invalidated.
In practical terms, a device compromised long ago can suddenly become a serious security risk today.
This is often described as a latency problem. The threat remains dormant, waiting for an opportunity. Time does not eliminate risk on its own.
The attacks would have failed if multi-factor authentication had been in place.
The attackers had the passwords, but they did not have access to the second factor. No phone, no app, no approval. That single additional step would have turned a successful breach into a dead end.
This is why security professionals continue to emphasize the same message. Passwords alone are no longer sufficient.
One common objection to multi-factor authentication is that it feels inconvenient. It does add a small extra step to the login process. But that inconvenience is minimal compared to the impact of a breach caused by an old, forgotten password that is still valid.
Multi-factor authentication transforms a stolen password into unusable information. That is why enforcing it is no longer excessive. It is a practical and necessary safeguard.
The key takeaway is simple. Passwords do not expire on their own. One additional layer of protection can make the difference between a close call and a serious incident.
If you need help enforcing multi-factor authentication across your organization, feel free to get in touch.
