Clorox Files Lawsuit Against Cognizant Over Employee Password Leak to Hackers

The Clorox Company filed a major lawsuit against IT services provider Cognizant on July 22, 2025, seeking $380 million in damages over a devastating cyberattack that the cleaning products giant claims was enabled by Cognizant’s security failures.

The lawsuit, filed in Alameda County Superior Court, alleges that Cognizant employees operating Clorox’s service desk simply handed over network credentials to a cybercriminal who called pretending to be company employees on August 11, 2023. 

According to the complaint, Cognizant agents reset passwords and multi-factor authentication without following proper verification procedures.

The Attack Unfolds

Court documents reveal how the cyberattack unfolded through a series of phone calls to Cognizant’s service desk. In one recorded conversation, a cybercriminal claiming to be a Clorox employee told the Cognizant agent: “I don’t have a password, so I can’t connect.”

The agent responded: “Oh, ok. Ok. So let me provide the password to you ok?” and proceeded to give out the credentials without any authentication.

The cybercriminal made multiple calls that day, successfully obtaining password resets and multi-factor authentication bypasses for two different employee accounts.

In one instance, a Cognizant agent even offered to reset both available MFA applications for an account without being asked.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit states. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over”.

The resulting cyberattack paralyzed Clorox’s corporate network and forced the company to take systems offline, pause manufacturing, and rely on manual order processing for weeks. 

This led to product shortages and significant lost sales, with Clorox claiming total damages of approximately $380 million, including over $49 million in remedial costs alone.

Clorox detected the intrusion within three hours and ejected the cybercriminal from its network within five days, but the damage was extensive. The company was forced to implement business continuity plans while rebuilding its IT infrastructure.

The lawsuit accuses Cognizant of breach of contract, gross negligence, and intentional misrepresentation.

Clorox alleges that Cognizant had repeatedly assured the company that its service desk staff were properly trained on credential support procedures, but the cyberattack exposed these assurances as false.

Beyond the initial security breach, Clorox claims Cognizant’s incident response was inadequate, with delays in reinstalling critical cybersecurity tools and providing incorrect network information that hindered recovery efforts.

Cognizant, which reported $20 billion in revenue for 2024, has not yet publicly responded to the lawsuit. The case highlights the critical importance of proper authentication procedures in corporate IT support operations.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now