The security industry has had plenty of warnings. It just has not acted on it.
Cast your mind back to SolarWinds story. The attackers did not smash through anything. They slipped in, found machine identities with significant access, and used them the way they were designed to be used — quietly, legitimately, invisibly. Eighteen thousand organisations. Months undetected. The credentials were not stolen in the traditional sense. They were just there, unmonitored, doing what attackers needed them to do.
Uber, 2022. Simpler anatomy. A service account nobody owned. Credentials that had not been rotated in who knows how long. Found in a network share by an attacker who was already looking. That one ghost identity opened a direct path to the PAM system — and from there, everything else followed. Cloud environments. Source code. Internal tools. One forgotten credential. That was the price of admission.
Okta, 2023. Different problem, harder to solve. The credentials that mattered were not even on Okta’s own infrastructure. They lived with a third-party support vendor. Technically, someone else’s environment. But they carried access rights into Okta’s systems, and when that vendor was compromised, the pathway was compromised too.
